Re: [PacketFence-users] Cisco WLC and guest reconnect issue (CoA)

[Giovanni Trapasso via PacketFence-users]

Hi  Ievgen, Did you figure out this issue you reported in January?  It looks like I am also having the same issue. Sent from Mail for Windows 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and guest reconnect issue (CoA)

[Ievgen Lepekha via PacketFence-users]

Hello,
Yes, of course.
File in attach

Device’s mac: a8:64:f1:d7:fa:e6



From: Fabrice Durand 
Sent: Friday, January 5, 2024 5:34 PM
To: packetfence-users@lists.sourceforge.net
Cc: Ievgen Lepekha 
Subject: Re: [PacketFence-users] Cisco WLC and guest reconnect issue (CoA)

Hello Levgen,

can you provide the packetfence.log snippet when you register on the portal ?

Regards
Fabrice


Le ven. 5 janv. 2024 à 08:18, Ievgen Lepekha via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 a écrit :
Hi, all,
Need help.

I was integrate PacketFence 13 with Cisco WLC 3504, configured SSID with 
open+mac-filter (radius enabled), 2 ACL's.
Guest on first connection are redirected to captive-portal.
After registration PacketFence should return a new role, but this does not 
happen automatically, PF does not sent CoA packets to WLC, on Switch "Use CoA" 
enabled, CoA port is 1700(I've tried with port 3799 but nothing works - the 
same result).

If manualy reсonnect device to SSID (disconnect/connect) then everything works 
(WLC will send a new RADIUS request and PacketFence should return a new role 
and necessary ACL).

Help, please with Radius CoA for automatically change roles.

In PF use default template "WLC"
From TCPDUMP on PacketFence on ports 1700 and 3799 - nothing
Also with radclient
"radsniff -x -p 1700" - empty

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility. Disabled
Call Station Id Case. lower
Accounting Call Station Id Type.. Mac Address
Auth Call Station Id Type AP's Radio MAC Address:SSID
Extended Source Ports Support Enabled
Aggressive Failover.. Disabled
Keywrap.. Disabled
Fallback Test:
Test Mode Active
Probe User Name.. cisco-probe
Interval (in seconds) 300
MAC Delimiter for Authentication Messages hyphen
MAC Delimiter for Accounting Messages hyphen
RADIUS Authentication Framed-MTU. 1300 Bytes
AP Events Accounting. Disabled

Authentication Servers

Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576  IPSec - 
state/Profile Name/RadiusRegionString
---      --        ---  
---
6  * N  1812Enabled   5 5 Enabled   Disabled - /none

Accounting Servers

Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576  IPSec - 
state/Profile Name/RadiusRegionString
---      --        ---  
---
6  * N  1813Enabled   5 5 N/A   Disabled - /none


(Cisco Controller) >show radius rfc3576 statistics
RFC-3576 Servers:
Server Index. 6
Server Address... 
Disconnect-Requests.. 0
COA-Requests. 0
Retransmitted Requests... 0
Malformed Requests... 0
Bad Authenticator Requests... 0
Other Drops.. 0
Sent Disconnect-Ack.. 0
Sent Disconnect-Nak.. 0
Sent CoA-Ack. 0
Sent CoA-Nak. 0
Best Regards,
Yevgen Lepekha
Network engineer
ERC  Kyiv, Ukraine
tel office: +380 44 230 34 74 (1132)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users


packetfence.log
Description: packetfence.log
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and guest reconnect issue (CoA)

[Fabrice Durand via PacketFence-users]

Hello Levgen,

can you provide the packetfence.log snippet when you register on the portal
?

Regards
Fabrice


Le ven. 5 janv. 2024 à 08:18, Ievgen Lepekha via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, all,
>
> Need help.
>
>
>
> I was integrate PacketFence 13 with Cisco WLC 3504, configured SSID with
> open+mac-filter (radius enabled), 2 ACL's.
>
> Guest on first connection are redirected to captive-portal.
>
> After registration PacketFence should return a new role, but this does not
> happen automatically, PF does not sent CoA packets to WLC, on Switch "Use
> CoA" enabled, CoA port is 1700(I've tried with port 3799 but nothing works
> - the same result).
>
>
>
> If manualy reсonnect device to SSID (disconnect/connect) then everything
> works (WLC will send a new RADIUS request and PacketFence should return a
> new role and necessary ACL).
>
>
>
> Help, please with Radius CoA for automatically change roles.
>
>
>
> In PF use default template "WLC"
>
> From TCPDUMP on PacketFence on ports 1700 and 3799 - nothing
>
> Also with radclient
>
> "radsniff -x -p 1700" - empty
>
>
>
> (Cisco Controller) >show radius summary
>
>
>
> Vendor Id Backward Compatibility. Disabled
>
> Call Station Id Case. lower
>
> Accounting Call Station Id Type.. Mac Address
>
> Auth Call Station Id Type AP's Radio MAC
> Address:SSID
>
> Extended Source Ports Support Enabled
>
> Aggressive Failover.. Disabled
>
> Keywrap.. Disabled
>
> Fallback Test:
>
> Test Mode Active
>
> Probe User Name.. cisco-probe
>
> Interval (in seconds) 300
>
> MAC Delimiter for Authentication Messages hyphen
>
> MAC Delimiter for Accounting Messages hyphen
>
> RADIUS Authentication Framed-MTU. 1300 Bytes
>
> AP Events Accounting. Disabled
>
>
>
> Authentication Servers
>
>
>
> Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576
> IPSec - state/Profile Name/RadiusRegionString
>
> ---      --        ---
> ---
>
> 6  * N  1812Enabled   5 5 Enabled   Disabled -
> /none
>
>
>
> Accounting Servers
>
>
>
> Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576
> IPSec - state/Profile Name/RadiusRegionString
>
> ---      --        ---
> ---
>
> 6  * N  1813Enabled   5 5 N/A   Disabled -
> /none
>
>
>
>
>
> (Cisco Controller) >show radius rfc3576 statistics
>
> RFC-3576 Servers:
>
> Server Index. 6
>
> Server Address... 
>
> Disconnect-Requests.. 0
>
> COA-Requests. 0
>
> Retransmitted Requests... 0
>
> Malformed Requests... 0
>
> Bad Authenticator Requests... 0
>
> Other Drops.. 0
>
> Sent Disconnect-Ack.. 0
>
> Sent Disconnect-Nak.. 0
>
> Sent CoA-Ack. 0
>
> Sent CoA-Nak. 0
>
> Best Regards,
>
> Yevgen Lepekha
>
> Network engineer
>
> ERC  Kyiv, Ukraine
>
> tel office: +380 44 230 34 74 (1132)
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and sponsor guest reconnect issue

[Enrico Pasqualotto via PacketFence-users]

Hi Nicolas, I found the issue in my WLC version. Unfortunatelly mobility 
express controller with version < 8.7 have the CoA support broken (Cisco TAC 
verified).

Enrico

On 18/09/19 15:27, Nicolas Quiniou-Briand via PacketFence-users wrote:

Hello Enrico,

First, CoA Messages and Disconnect-Messages are different, see RFC5176
[1] but they use same port 3799. In some cases 1700.

Based on this:



*radiusRFC3576TransportThread: Sep 10 14:47:42.312: RFC3576 - Received IP 
Address : WLC_IP, Vlan ID: (received 0), management IP WLC_IP
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Handling a valid 'RFC-3576 
Disconnect-Request' regarding station 18:1d:ea:5d:4b:d9
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Sent a RFC3576 message 
'RFC-3576 Disconnect-Ack' to PacketFence_IP:(port:46269)



Your device has been disconnected using a Disconnect-Message, not a
CoA-Message. So WLC will send a new RADIUS request and PacketFence
should return a new role.

Take a look at packetfence.log when a device is trying to register.

[1] https://tools.ietf.org/html/rfc5176#section-2



--
Enrico Pasqualotto

[https://www.backloop.biz/backloop_loghi/LOGO_BackLoop_small.png]
Private mail: epasqualo...@backloop.biz
Office: +39 045 9971269


Le informazioni contenute in questo messaggio di posta elettronica e negli 
eventuali allegati sono riservate e confidenziali e sono indirizzate 
esclusivamente al destinatario. Si prega di non fare copia, inoltrare a terzi o 
conservare tale messaggio se non si è il legittimo destinatario dello stesso. 
Qualora questo messaggio sia stato ricevuto per errore, si prega di rinviarlo 
al mittente e di cancellarlo permanentemente dal proprio computer.

The information contained in this message and in any attachment is intended 
exclusively for the recipient. If you are not the intended recipient you are 
hereby notified not to copy, save, disclose, or distribute it to any third 
party. If you erroneously received this message you are kindly requested to 
return it to the sender and eliminate it permanently from your computer.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and sponsor guest reconnect issue

[Nicolas Quiniou-Briand via PacketFence-users]

Hi Enrico,

On 18/09/2019 15:32, Enrico Pasqualotto wrote:
Hi Nicolas, I found the issue in my WLC version. Unfortunatelly mobility 
express controller with version < 8.7 have the CoA support broken (Cisco 
TAC verified).


Good to know, thanks for your feedback.
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and sponsor guest reconnect issue

[Nicolas Quiniou-Briand via PacketFence-users]

Hello Enrico,

First, CoA Messages and Disconnect-Messages are different, see RFC5176 
[1] but they use same port 3799. In some cases 1700.


Based on this:


*radiusRFC3576TransportThread: Sep 10 14:47:42.312: RFC3576 - Received IP 
Address : WLC_IP, Vlan ID: (received 0), management IP WLC_IP
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Handling a valid 'RFC-3576 
Disconnect-Request' regarding station 18:1d:ea:5d:4b:d9
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Sent a RFC3576 message 
'RFC-3576 Disconnect-Ack' to PacketFence_IP:(port:46269)


Your device has been disconnected using a Disconnect-Message, not a 
CoA-Message. So WLC will send a new RADIUS request and PacketFence 
should return a new role.


Take a look at packetfence.log when a device is trying to register.

[1] https://tools.ietf.org/html/rfc5176#section-2
--
Nicolas Quiniou-Briand
n...@inverse.ca  ::  +1.514.447.4918 *140  ::  https://inverse.ca
Inverse inc. :: Leaders behind SOGo (https://sogo.nu), PacketFence 
(https://packetfence.org) and Fingerbank (http://fingerbank.org)



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and sponsor guest reconnect issue

[Enrico Pasqualotto via PacketFence-users]

UPDATE

using aaa debug on WLC I saw:

(Cisco Controller) >*radiusRFC3576TransportThread: Sep 10 14:47:42.311: 
processIncomingMessages: Received RFC3576 message from PacketFence_IP of len 57 
with return 0
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Request 
Authenticator(recv'd) - 96:35:c1:03:c3:31:12:08:dc:55:ea:88:af:91:a2:20
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Request 
Authenticator(calc'd) - 96:35:c1:03:c3:31:12:08:dc:55:ea:88:af:91:a2:20
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Received a 'RFC-3576 
Disconnect-Request' from PacketFence_IP port 46269
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Packet contains 4 AVPs:

*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[01] 
Service-Type.0x0001 (1) (4 bytes)

*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[02] 
Calling-Station-Id...18-1D-EA-5D-4B-D9 (17 bytes)

*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[03] 
Nas-Ip-Address...0x0a010176 (167838070) (4 bytes)

*radiusRFC3576TransportThread: Sep 10 14:47:42.312: AVP[04] 
Nas-Port.0x0001 (1) (4 bytes)

*radiusRFC3576TransportThread: Sep 10 14:47:42.312: RFC3576 - Received IP 
Address : WLC_IP, Vlan ID: (received 0), management IP WLC_IP
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Handling a valid 'RFC-3576 
Disconnect-Request' regarding station 18:1d:ea:5d:4b:d9
*radiusRFC3576TransportThread: Sep 10 14:47:42.312: Sent a RFC3576 message 
'RFC-3576 Disconnect-Ack' to PacketFence_IP:(port:46269)

But into Packetfence logs I see always:

Sep 10 14:48:09 jit-pf pfqueue: pfqueue(19856) WARN: [mac:18:1d:ea:5d:4b:d9] 
Unable to perform RADIUS CoA-Request on (WLC_IP): Timeout waiting for a reply 
from WLC_IP on port 3799 at /usr/local/pf/lib/pf/util/radius.pm line 166. 
(pf::Switch::Cisco::WLC::catch {...} )
Sep 10 14:48:09 jit-pf pfqueue: pfqueue(19856) ERROR: [mac:18:1d:ea:5d:4b:d9] 
Wrong RADIUS secret or unreachable network device (WLC_IP)... On some Cisco 
Wireless Controllers you might have to set disconnectPort=1700 as some versions 
ignore the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} )

>From TCPDUMP on PacketFence I saw these packets:

PF => WLC (Disconnect-Request)
WLC => PF (Disconnect-ACK)
WLC => PF (Access-Request)
PF => WLC (Access-Accept)

Is the CoA request what I see into tcpdump?

Thanks
Enrico.

On 10/09/19 07:13, Enrico Pasqualotto via PacketFence-users wrote:
Hello Ludovic, CoA can be the issue as I saw into the logs:

Sep  9 14:32:03 jit-pf pfqueue: pfqueue(13703) WARN: [mac:90:00:4e:c2:03:1d] 
Unable to perform RADIUS CoA-Request on (WLC_IP): Timeout waiting for a reply 
from WLC_IP on port 1700 at /usr/local/pf/lib/pf/util/radius.pm line 166. 
(pf::Switch::Cisco::WLC::catch {...} )
Sep  9 14:32:03 jit-pf pfqueue: pfqueue(13703) ERROR: [mac:90:00:4e:c2:03:1d] 
Wrong RADIUS secret or unreachable network device (WLC_IP)... On some Cisco 
Wireless Controllers you might have to set disconnectPort=1700 as some versions 
ignore the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} )

I've tried with ports 1700 and 3799 but nothing works.

Also with radclient I got:

(0) No reply from server for ID 173 socket 3
Sent Disconnect-Request Id 173 from 0.0.0.0:54230 to WLC_IP:1700 length 44 Sent 
Disconnect-Request Id 173 from 0.0.0.0:54230 to 10.1.1.118:1700 length 44 Sent 
Disconnect-Request Id 173 from 0.0.0.0:54230 to WLC_IP:1700 length 44

(0) No reply from server for ID 157 socket 3
Sent Disconnect-Request Id 157 from 0.0.0.0:49841 to WLC_IP:3799 length 44 Sent 
Disconnect-Request Id 157 from 0.0.0.0:49841 to 10.1.1.118:3799 length 44 Sent 
Disconnect-Request Id 157 from 0.0.0.0:49841 to WLC_IP:3799 length 44

BUT if I go to WLC CoA seems enabled:

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility. Disabled
Call Station Id Case. lower
Accounting Call Station Id Type.. AP's Label Address:SSID
Auth Call Station Id Type AP's Ethernet MAC Address:SSID
Extended Source Ports Support Enabled
Aggressive Failover.. Disabled
Keywrap.. Disabled
Fallback Test:
Test Mode Passive
Probe User Name.. cisco-probe
Interval (in seconds) 300
MAC Delimiter for Authentication Messages hyphen
MAC Delimiter for Accounting Messages hyphen
RADIUS Authentication Framed-MTU. 1300 Bytes
CALEA server info:
Server IP 0.0.0.0
Server Port.. 0
Venue
State disabled
Timer 

Re: [PacketFence-users] Cisco WLC and sponsor guest reconnect issue

[Enrico Pasqualotto via PacketFence-users]

Hello Ludovic, CoA can be the issue as I saw into the logs:

Sep  9 14:32:03 jit-pf pfqueue: pfqueue(13703) WARN: [mac:90:00:4e:c2:03:1d] 
Unable to perform RADIUS CoA-Request on (WLC_IP): Timeout waiting for a reply 
from WLC_IP on port 1700 at /usr/local/pf/lib/pf/util/radius.pm line 166. 
(pf::Switch::Cisco::WLC::catch {...} )
Sep  9 14:32:03 jit-pf pfqueue: pfqueue(13703) ERROR: [mac:90:00:4e:c2:03:1d] 
Wrong RADIUS secret or unreachable network device (WLC_IP)... On some Cisco 
Wireless Controllers you might have to set disconnectPort=1700 as some versions 
ignore the CoA requests on port 3799 (pf::Switch::Cisco::WLC::catch {...} )

I've tried with ports 1700 and 3799 but nothing works.

Also with radclient I got:

(0) No reply from server for ID 173 socket 3
Sent Disconnect-Request Id 173 from 0.0.0.0:54230 to WLC_IP:1700 length 44 Sent 
Disconnect-Request Id 173 from 0.0.0.0:54230 to 10.1.1.118:1700 length 44 Sent 
Disconnect-Request Id 173 from 0.0.0.0:54230 to WLC_IP:1700 length 44

(0) No reply from server for ID 157 socket 3
Sent Disconnect-Request Id 157 from 0.0.0.0:49841 to WLC_IP:3799 length 44 Sent 
Disconnect-Request Id 157 from 0.0.0.0:49841 to 10.1.1.118:3799 length 44 Sent 
Disconnect-Request Id 157 from 0.0.0.0:49841 to WLC_IP:3799 length 44

BUT if I go to WLC CoA seems enabled:

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility. Disabled
Call Station Id Case. lower
Accounting Call Station Id Type.. AP's Label Address:SSID
Auth Call Station Id Type AP's Ethernet MAC Address:SSID
Extended Source Ports Support Enabled
Aggressive Failover.. Disabled
Keywrap.. Disabled
Fallback Test:
Test Mode Passive
Probe User Name.. cisco-probe
Interval (in seconds) 300
MAC Delimiter for Authentication Messages hyphen
MAC Delimiter for Accounting Messages hyphen
RADIUS Authentication Framed-MTU. 1300 Bytes
CALEA server info:
Server IP 0.0.0.0
Server Port.. 0
Venue
State disabled
Timer Interval... 8 minutes

Authentication Servers

Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576  IPSec - 
state/Profile Name/RadiusRegionString
---      --        ---  
---
1  * NMPacketFence_IP 1812Enabled   5 5 Enabled   
Disabled - /none

Accounting Servers

Idx  Type  Server AddressPortState Tout  MgmtTout  RFC3576  IPSec - 
state/Profile Name/RadiusRegionString
---      --        ---  
---

(Cisco Controller) >

(Cisco Controller) >show radius rfc3576 statistics
RFC-3576 Servers:

Server Index. 1
Server Address... PacketFence_IP
Disconnect-Requests.. 465
COA-Requests. 0
Retransmitted Requests... 20
Malformed Requests... 0
Bad Authenticator Requests... 6
Other Drops.. 0
Sent Disconnect-Ack.. 394
Sent Disconnect-Nak.. 51
Sent CoA-Ack. 0
Sent CoA-Nak. 0


Can be Cisco bug/issue? Is there another way (other that CoA) to achieve that? 
For ex. through HTTPS?

Thanks

On 08/09/19 13:36, Ludovic Zammit wrote:

Hello Enrico,

Did you enable the CoA correctly on the radius server where you defined the pf 
IP address ?

Also known as RFC 3576.

Thanks,



On Sep 7, 2019, at 8:48 AM, Enrico Pasqualotto via PacketFence-users 

 wrote:

Dear all, I've a running setup with PF 9 in VLAN enforcement mode where
guest are approved by sponsor and moved to a guest VLAN (not inline).

Wireless is managed by Cisco WLC with ssid in open+mac-filter (radius
enabled).

Guest on first connection are redirected to captive-portal (on
registration VLAN) and after sponsor approval moved to the correct VLAN.

The issue appear if some guest reconnect to same ssid after some minutes
(simply reconnection after standby or out of signal) because it prompt
the captive-portal again with this error message:

Your network shoud be enabled within a minute or two. If it is not
reboot your computer.

After some retry users can register again by asking another approval
from 

Re: [PacketFence-users] Cisco WLC and sponsor guest reconnect issue

[Ludovic Zammit via PacketFence-users]

Hello Enrico,

Did you enable the CoA correctly on the radius server where you defined the pf 
IP address ?

Also known as RFC 3576. 

Thanks,

> On Sep 7, 2019, at 8:48 AM, Enrico Pasqualotto via PacketFence-users 
>  wrote:
> 
> Dear all, I've a running setup with PF 9 in VLAN enforcement mode where
> guest are approved by sponsor and moved to a guest VLAN (not inline).
> 
> Wireless is managed by Cisco WLC with ssid in open+mac-filter (radius
> enabled).
> 
> Guest on first connection are redirected to captive-portal (on
> registration VLAN) and after sponsor approval moved to the correct VLAN.
> 
> The issue appear if some guest reconnect to same ssid after some minutes
> (simply reconnection after standby or out of signal) because it prompt
> the captive-portal again with this error message:
> 
> Your network shoud be enabled within a minute or two. If it is not
> reboot your computer.
> 
> After some retry users can register again by asking another approval
> from sponsor.
> 
> I expect that returning users, if access duration isn't expired (12h in
> my case), will be moved directly to the guest VLAN and can use Internet
> without any other tasks. In this case seems that PF know that user is
> registered but stay in registration VLAN.
> 
> I don't use any ACL (on WLC) or Web Auth URL in my setup, can generate
> that issue? Any ideas?
> 
> Thanks a lot.
> -- 
> Enrico Pasqualotto
> 
> 
> 
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC ver 8.2.

[Domingos Varela via PacketFence-users]

Hello,

It's working without FT.
Thanks.

Regards


A quinta, 1/08/2019, 09:31, pro fence via PacketFence-users <
packetfence-users@lists.sourceforge.net> escreveu:

> Hi Domingos,
>
> i am no expert, but i think that you should uncheck "fast transition".
>
> regards,
>
> On Thu, 1 Aug 2019 at 09:48, Domingos Varela via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hi,
>>
>> I am setting up a cisco wlc version 8, and when using the manual settings
>> I get this image error.
>>
>> Can someone explain to me what additional Layer 2 definitions I have to
>> use for this version?
>>
>> Thank you
>> Regards
>>
>> Cumprimentos,
>>
>> *Domingos Varela*
>> Tel. +244 923 229 330 | Luanda - Angola
>>
>>
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC ver 8.2.

[pro fence via PacketFence-users]

Hi Domingos,

i am no expert, but i think that you should uncheck "fast transition".

regards,

On Thu, 1 Aug 2019 at 09:48, Domingos Varela via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hi,
>
> I am setting up a cisco wlc version 8, and when using the manual settings
> I get this image error.
>
> Can someone explain to me what additional Layer 2 definitions I have to
> use for this version?
>
> Thank you
> Regards
>
> Cumprimentos,
>
> *Domingos Varela*
> Tel. +244 923 229 330 | Luanda - Angola
>
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] cisco WLC

[Jes Kasper Klittum via PacketFence-users]

Yes, we are running Packetfence with and old WLC 4000 series and it works very 
well.

Sendt fra min iPhone

Den 23. jul. 2018 kl. 14.33 skrev Advancedata Network via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>:

Hi,

Do packetfence support cisco WLC?

Sent from Mail for Windows 10

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] cisco WLC

[Fabrice Durand via PacketFence-users]

Hi,

yes

Regards
Fabrice

Le 2018-07-23 à 01:54, Advancedata Network via PacketFence-users a écrit :


Hi,

Do packetfence support cisco WLC?

Sent from Mail  for 
Windows 10




--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC unable to reevaluate access on cluster

[Fabrice Durand via PacketFence-users]

Hello Luca,

did it worked before ?

Can you see some specific messages in packetfence.log when PacketFence
try to reevaluate the access ?

Regards

Fabrice



Le 2018-04-26 à 02:52, luca comes via PacketFence-users a écrit :
>
> Anyone who can help me about this problem?
>
>
> Luca
>
>
>
> 
> *Da:* luca comes via PacketFence-users
> 
> *Inviato:* giovedì 19 aprile 2018 11:37
> *A:* packetfence-users@lists.sourceforge.net
> *Cc:* luca comes
> *Oggetto:* [PacketFence-users] Cisco WLC unable to reevaluate access
> on cluster
>  
>
> Hi all,
>
> I'm on production with my PF cluster that is serving at the moment
> more or less 400 clients on cabled network and a wifi guest with
> sponsored email to a Cisco WLC. Today I'm facing a problem on the
> guest, all the procedure seems to work well but when the user is
> authorized and need to been moved on the correct VLAN it doen't work I
> suppose this behaviour is due to a huge value on the queues, I can see
> on the cluster status priority api:reAssignVlan 8238.
>
> Am I right? Is the cluster full and can't serve the process? The
> strange thing is that the master node has these values but the other 2
> nodes are empty, I think the load should be shared between nodes or
> instead only the master node take the ownership of the process?
>
>
> Luca
>
>
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC unable to reevaluate access on cluster

[luca comes via PacketFence-users]

Anyone who can help me about this problem?


Luca



Da: luca comes via PacketFence-users 
Inviato: giovedì 19 aprile 2018 11:37
A: packetfence-users@lists.sourceforge.net
Cc: luca comes
Oggetto: [PacketFence-users] Cisco WLC unable to reevaluate access on cluster


Hi all,

I'm on production with my PF cluster that is serving at the moment more or less 
400 clients on cabled network and a wifi guest with sponsored email to a Cisco 
WLC. Today I'm facing a problem on the guest, all the procedure seems to work 
well but when the user is authorized and need to been moved on the correct VLAN 
it doen't work I suppose this behaviour is due to a huge value on the queues, I 
can see on the cluster status priority api:reAssignVlan 8238.

Am I right? Is the cluster full and can't serve the process? The strange thing 
is that the master node has these values but the other 2 nodes are empty, I 
think the load should be shared between nodes or instead only the master node 
take the ownership of the process?


Luca
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC and Meraki WebAuth

[Tomasz Karczewski]

Which firmware version do you use on Cisco wlc 2504?



From: KUHN, BENJAMIN [mailto:bek...@rochester.k12.mn.us]
Sent: Wednesday, March 15, 2017 7:20 PM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Cisco WLC and Meraki WebAuth



I am attempting to set up PacketFence to do WebAuth for a Cisco WLC and also 
for some Meraki APs. I am following the relevant portions of the Network 
Device Configuration Guide. Things appear to be working, with the exception of 
the RFC5176 portion where PacketFence sends the url-redirect Cisco AV Pair to 
the controller or APs.



Here is my switches.conf:



[default]

VlanMap=N

RoleMap=Y

UrlMap=Y

registrationUrl=https://packetfence.rochester.k12.mn.us/$session_id



[10.2.0.134]

coaPort=1700

deauthMethod=RADIUS

registrationRole=Pre-Auth-For-WebRedirect

Staff-BYODRole=RPS-BYOD

description=WLC2504-TSSC

controllerIp=10.2.0.134

mode=production

VoIPDHCPDetect=N

type=Cisco::WiSM2

REJECTRole=Pre-Auth-For-WebRedirect

VoIPCDPDetect=N

VoIPLLDPDetect=N

Student-BYODRole=RPS-BYOD

IT-BYODRole=RPS

SNMPCommunityRead=SuperSecretCommunityString

radiusSecret=SuperSecretPassword

SNMPVersion=2c

RoleMap=N



[10.102.239.0/24]

description=Test Lab APs

group=Meraki-APs



[group Meraki-APs]

VoIPCDPDetect=N

VoIPLLDPDetect=N

deauthMethod=RADIUS

coaPort=1700

mode=production

description=Meraki AP Default Values

type=Meraki::MR_v2

VoIPDHCPDetect=N

radiusSecret=SuperSecretPassword

UrlMap=Y

registrationUrl=http://packetfence.rochester.k12.mn.us/$session_id

RoleMap=Y

IT-BYODRole=IT-BYOD

Student-BYODRole=Student-BYOD

VlanMap=N

Staff-BYODRole=Staff-BYOD





And the relevant snippet from the RADIUS debug:



(74) Wed Mar 15 13:09:00 2017: Debug: linelog: EXPAND 
/usr/local/pf/logs/radius.log

(74) Wed Mar 15 13:09:00 2017: Debug: linelog:--> 
/usr/local/pf/logs/radius.log

(74) Wed Mar 15 13:09:00 2017: Debug: [linelog] = ok

(74) Wed Mar 15 13:09:00 2017: Debug:   } # post-auth = updated

(74) Wed Mar 15 13:09:00 2017: Debug: Sent Access-Accept Id 10 from 
10.1.4.76:1812 to 10.102.239.101:42797 length 0

(74) Wed Mar 15 13:09:00 2017: Debug:   PacketFence-Authorization-Status = 
"allow"

(74) Wed Mar 15 13:09:00 2017: Debug:   Airespace-ACL-Name = "registration"

(74) Wed Mar 15 13:09:00 2017: Debug: Finished request



I am only getting the "Airespace-ACL-Name" AV Pair sent to both the Cisco WLC 
and the Meraki APs. What do I need to change to get the url-redirect AV pair 
sent to the devices? I can see the ACLs (or group policies in the case of 
Meraki) are correctly assigned. I can also access the login page manually so I 
know the ACLs are permitting access.



Thanks,

Ben


Notice


This E-mail transmission may contain confidential or legally privileged 
information that is intended for the individual or entity named in the E-mail 
address. Use of such information by any intended recipient shall be limited to 
the purpose for which such information was sent. Unauthorized use, disclosure, 
or copying is strictly prohibited. If you received this E-mail transmission in 
error, please reply to the sender and delete the message. Thank you.



smime.p7s
Description: S/MIME cryptographic signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco wlc 2500 Extract Ssid not working

[Fabrice Durand]

Hello Helen,

fist you need to configure the WLC to send mac:ssid in the
Called-Station-Id (Security -> Radius -> Authentication : Call Station
ID Type).

Next your redirection url is wrong, set this instead:

http://10.1.254.126/Cisco::WLC

Next untick Role by Vlan id in PacketFence switch config, you don't need
that, (just be sure that the ssid is linked on the vlan 51).


Do that and it should work

Regards

Fabrice



Le 2017-03-13 à 05:07, Helen Chen a écrit :
>
> Hi All,
>
>  
>
> I’m totally new to Packet fence, especially to out-of-band. We are now
> using WLC 2504 + AIR2702i to achieve guest wireless authentication
> through packetfence. However, our problem the endpoint will say
> “unable to join network SSID” and there’s no redirection to captive
> portal.
>
>  
>
> Packetfence management IP address and captive portal  10.1.254.126/24.
> Registration IP is 172.17.0.0/16 while isolation IP is 172.18.0.0/16.
> We want to use PF packetfence to enable DHCP.
>
>  
>
> Please review the packetfence.log:
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Unable
> to extract MAC from Called-Station-Id: 10.1.5.50
> (pf::radius::extractApMacFromRadiusRequest)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Memory
> configuration is not valid anymore for key config::Switch in local
> cached_hash (pfconfig::cached::is_valid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Memory
> configuration is not valid anymore for key resource::stats_levels in
> local cached_hash (pfconfig::cached::is_valid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Unable
> to extract SSID of Called-Station-Id: 10.1.5.50 (pf::Switch::extractSsid)
>
> Mar 13 04:55:46 httpd.aaa(1857) WARN: [mac:7c:01:91:25:f9:eb] Unable
> to extract SSID for module pf::Switch::Cisco::WLC_2500. SSID-based
> VLAN assignments won't work. Please let us know so we can add support
> for it. (pf::Switch::extractSsid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] handling
> radius autz request: from switch_ip => (10.1.5.50), connection_type =>
> Wireless-802.11-NoEAP,switch_mac => (Unknown), mac =>
> [7c:01:91:25:f9:eb], port => 1, username => "7c019125f9eb"
> (pf::radius::authorize)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb]
> Instantiate profile RSP (pf::Portal::ProfileFactory::_from_profile)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Memory
> configuration is not valid anymore for key config::Pf in local
> cached_hash (pfconfig::cached::is_valid)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] is of
> status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb]
> (10.1.5.50) Added VLAN 51 to the returned RADIUS Access-Accept
> (pf::Switch::returnRadiusAccessAccept)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb]
> (10.1.5.50) Added role Pre-Auth-For-WebRedirect to the returned RADIUS
> Access-Accept (pf::Switch::returnRadiusAccessAccept)
>
> Mar 13 04:55:46 httpd.aaa(1857) INFO: [mac:7c:01:91:25:f9:eb] Adding
> web authentication redirection to reply using role:
> 'Pre-Auth-For-WebRedirect' and URL:
> 'https://10.1.254.126/$session_id/sida4e83b'  
> (pf::Switch::Cisco::WLC::returnRadiusAccessAccept)
>
>  
>
>  
>
> Radius debug:
>
> (0) Received Access-Request Id 53 from 10.1.5.50:32771 to
> 10.1.254.126:1812 length 241
>
> (0)   User-Name = "7c019125f9eb"
>
> (0)   Called-Station-Id = "10.1.5.50"
>
> (0)   Calling-Station-Id = "7c-01-91-25-f9-eb"
>
> (0)   NAS-Port = 1
>
> (0)   NAS-IP-Address = 10.1.5.50
>
> (0)   NAS-Identifier = "QD-G5-2504-3F-1"
>
> (0)   Airespace-Wlan-Id = 4
>
> (0)   User-Password = "žo\310P-Sh\234\234>\276\210Lw\271"
>
> (0)   Service-Type = Call-Check
>
> (0)   Framed-MTU = 1300
>
> (0)   NAS-Port-Type = Wireless-802.11
>
> (0)   Tunnel-Type:0 = VLAN
>
> (0)   Tunnel-Medium-Type:0 = IEEE-802
>
> (0)   Tunnel-Private-Group-Id:0 = "51"
>
> (0)   Cisco-AVPair = "audit-session-id=0a0105320001bf5958c65e96"
>
> (0)   Acct-Session-Id = "58c65e96/7c:01:91:25:f9:eb/161430"
>
> (0) # Executing section authorize from file
> /usr/local/pf/raddb/sites-enabled/packetfence
>
> (0)   authorize {
>
> (0) update {
>
> (0)   EXPAND %{Packet-Src-IP-Address}
>
> (0)  --> 10.1.5.50
>
> (0)   :FreeRADIUS-Client-IP-Address := 10.1.5.50
>
> (0)   :PacketFence-RPC-Server = 127.0.0.1
>
> (0)   :PacketFence-RPC-Port = 7070
>
> (0)   :PacketFence-RPC-User =
>
> (0)   :PacketFence-RPC-Pass =
>
> (0)   :PacketFence-RPC-Proto = http
>
> (0)   EXPAND %l
>
> (0)  --> 1489395346
>
> (0)   :Tmp-Integer-0 := 1489395346
>
> (0)   :PacketFence-Request-Time := 0
>
> (0) } # update = noop
>
> (0) policy rewrite_calling_station_id {
>
> (0)   if ( && ( =~
> 

Re: [PacketFence-users] Cisco WLC Web Auth @ PacketFence 6.4

[Durand fabrice]

Hellor Talan,

my answer bellow.


Le 2017-01-25 à 09:33, Talan Westby a écrit :


Hi,

We have recently attempted to upgrade from 5.7 to 6.4, unfortunately 
we have faced some issues which are proving difficult to figure out. 
Here are the issues:


1.When an iOS device connects in an “unregistered” it doesn’t 
automatically load the registration section despite the Cisco WLC 
having the client in a Web_AuthReq’d state and a URL Redirect page.


2.Once a user goes through the registration process and signs in it 
doesn’t drop the association and reconnect with the new authentication 
rules and as such the error message “unable to detect network 
connectivity” is shown.


We currently have PacketFence 5.7 running without any of the above 
issues. Below is the logs from packetfence.log for a full 
authentication process of a client:


Jan 25 13:55:15 httpd.aaa(2256) INFO: [mac:d8:96:95:27:ea:9a] Unable 
to extract SSID of Called-Station-Id: d0:d0:fd:20:0f:20 
(pf::Switch::extractSsid)


Jan 25 13:55:15 httpd.aaa(2256) WARN: [mac:d8:96:95:27:ea:9a] Unable 
to extract SSID for module pf::Switch::Cisco::WLC_5500. SSID-based 
VLAN assignments won't work. Please let us know so we can add support 
for it. (pf::Switch::extractSsid)



Fix the Calling-Station-Id format on the wlc side , something like mac:ssid


Jan 25 13:55:15 httpd.aaa(2256) INFO: [mac:d8:96:95:27:ea:9a] handling 
radius autz request: from switch_ip => (172.27.5.1), connection_type 
=> Wireless-802.11-NoEAP,switch_mac => (d0:d0:fd:20:0f:20), mac => 
[d8:96:95:27:ea:9a], port => 13, username => "d8:96:95:27:ea:9a" 
(pf::radius::authorize)


Jan 25 13:55:15 httpd.aaa(2256) INFO: [mac:d8:96:95:27:ea:9a] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)


Jan 25 13:55:15 httpd.aaa(2256) INFO: [mac:d8:96:95:27:ea:9a] is of 
status unreg; belongs into registration VLAN 
(pf::role::getRegistrationRole)


Jan 25 13:55:15 httpd.aaa(2256) INFO: [mac:d8:96:95:27:ea:9a] 
(172.27.5.1) Added role PreAuth to the returned RADIUS Access-Accept 
(pf::Switch::returnRadiusAccessAccept)


Jan 25 13:55:15 httpd.aaa(2256) INFO: [mac:d8:96:95:27:ea:9a] Adding 
web authentication redirection to reply using role: 'PreAuth' and URL: 
'https://dc-packetfence.derby-college.ac.uk/sid6daded' 
(pf::Switch::Cisco::WLC::returnRadiusAccessAccept)


Jan 25 13:55:24 httpd.portal(29089) ERROR: [mac:d8:96:95:27:ea:9a] 
Can't bind : IO::Socket::INET: connect: Connection refused



Disable OMAPI


Jan 25 13:55:24 httpd.portal(29089) INFO: [mac:d8:96:95:27:ea:9a] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)


Jan 25 13:55:24 httpd.portal(29089) ERROR: [mac:d8:96:95:27:ea:9a] 
Error while setting locale to en_US.utf8. Is the locale generated on 
your system? (pf::Portal::Session::_initializeI18n)


Jan 25 13:55:24 httpd.portal(29089) ERROR: [mac:d8:96:95:27:ea:9a] 
Can't bind : IO::Socket::INET: connect: Connection refused


Jan 25 13:55:24 httpd.portal(29089) INFO: [mac:d8:96:95:27:ea:9a] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)


Jan 25 13:55:24 httpd.portal(29089) ERROR: [mac:d8:96:95:27:ea:9a] 
Error while setting locale to en_US.utf8. Is the locale generated on 
your system? (captiveportal::PacketFence::Controller::Root::setupLanguage)



Debian ?: dpkg-reconfigure locales


Jan 25 13:55:24 httpd.portal(29089) INFO: [mac:d8:96:95:27:ea:9a] 
Updating node user_agent with useragent: 'Mozilla/5.0 (iPhone; CPU 
iPhone OS 10_2 like Mac OS X) AppleWebKit/602.3.12 (KHTML, like Gecko) 
Version/10.0 Mobile/14C92 Safari/602.1' 
(captiveportal::PacketFence::DynamicRouting::Application::process_user_agent)


Jan 25 13:55:26 httpd.portal(29090) ERROR: [mac:d8:96:95:27:ea:9a] 
Can't bind : IO::Socket::INET: connect: Connection refused


Jan 25 13:55:26 httpd.portal(29090) INFO: [mac:d8:96:95:27:ea:9a] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)


Jan 25 13:55:26 httpd.portal(29090) ERROR: [mac:d8:96:95:27:ea:9a] 
Error while setting locale to en_US.utf8. Is the locale generated on 
your system? (pf::Portal::Session::_initializeI18n)


Jan 25 13:55:26 httpd.portal(29090) ERROR: [mac:d8:96:95:27:ea:9a] 
Can't bind : IO::Socket::INET: connect: Connection refused


Jan 25 13:55:26 httpd.portal(29090) INFO: [mac:d8:96:95:27:ea:9a] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)


Jan 25 13:55:26 httpd.portal(29090) ERROR: [mac:d8:96:95:27:ea:9a] 
Error while setting locale to en_US.utf8. Is the locale generated on 
your system? (captiveportal::PacketFence::Controller::Root::setupLanguage)


Jan 25 13:55:28 httpd.portal(29119) ERROR: [mac:d8:96:95:27:ea:9a] 
Can't bind : IO::Socket::INET: connect: Connection refused


Jan 25 13:55:28 httpd.portal(29119) INFO: [mac:d8:96:95:27:ea:9a] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)


Jan 25 13:55:28 httpd.portal(29119) ERROR: [mac:d8:96:95:27:ea:9a] 
Error while setting locale to en_US.utf8. Is 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Fabrice,

well, I spoke too soon.

Just as I was feeling pretty good about things - i discovered that apple
IOS will not load the captive web portal page.  It looks like the redirect
is happening, just no love on the IOS side. I know OSX, Windows 7, and
Droid are working, but not Apple IOS.

I have seen issues with packetfence server name being: servername.local. My
packetfence server is: packetfence.mydomain.edu and is also resolvable by
any internal client via DNS

I have also seen that using a secure redirect will also hinder IOS clients,
I am not using a secure redirect either.  So, I've searched through the
list serve, but the above solutions do not seem to help me out.  Any ideas?

On Wed, May 27, 2015 at 5:48 AM, Durand fabrice fdur...@inverse.ca wrote:

  Hello Justin,

 Glad it works :-)

 It will be probably an interesting feature to add in PacketFence.

 Regards
 Fabrice


 Le 2015-05-26 13:58, J Nelson a écrit :

  Fabrice,


  1st of all: thanks for all the help.

  2nd: my issue wound up being my WLC access list - i forgot to permit the
 guest network PF portal ip address ( 10.5.0.3) in my PreAuthACL.  So, once
 I put that in, the loop on the guest side stopped, and its working like I
 had wanted.  Testing so far looks good.

  thanks again!

 On Mon, May 25, 2015 at 7:46 AM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Hello Justin,

 to have radius in debug mode let's kill radius before (pkill radiusd) and
 retry.

 Other stuff, can you check in httpd.portal.access to see if it's the
 portal that loop or the wlc.
 If it's the wlc then you probably have to check the debug/acl.

 Regards
 Fabrice



 Le 2015-05-22 11:29, J Nelson a écrit :

  Ok, so the headers looks something like this, it repeats forever when
 redirected:

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 HTTP/1.1 200 OK
 Location: http://10.5.0.3/cep0a5a10
 Content-Type: text/html
 Content-Length: 278
 --http://10.5.0.3/cep0a5a10

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 HTTP/1.1 200 OK
 Location: http://10.5.0.3/cep0a5a10
 Content-Type: text/html
 Content-Length: 278
 --http://10.5.0.3/cep0a5a10

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 As for the radius debug, there is quite a bit of output, what am i
 looking for?  I guess I can copy what I found interesting in it that would
 pertain to the WLC:

 rlm_sql (sql): Read entry
 nasname=172.16.4.4,shortname=172.16.4.4,secret=private
 rlm_sql (sql): Adding client 172.16.4.4 (172.16.4.4, server=none) to
 clients list

 adiusd:  Opening IP addresses and Ports 
 listen {
  type = auth
  virtual_server = packetfence
  ipaddr = 10.10.1.13
  port = 0
 Failed binding to authentication address 10.10.1.13 port 1812 as server
 packetfence: Address already in use
 /usr/local/pf/raddb//radiusd.conf[37]: Error binding to port for
 10.10.1.13 port 1812

  radiusd.conf line starting at line 37:

 listen {
 type = auth
 ipaddr = 10.10.1.13
 port = 0
 virtual_server = packetfence
 }

 listen {
 ipaddr = 10.10.1.13
 port = 0
 type = acct
 virtual_server = packetfence
 }


 On Thu, May 21, 2015 at 3:02 PM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Ok so the problem is elsewhere.

 Can you check with radius in debug mode is the vsa are correct ?
 radiusd -d /usr/local/pf/raddb/ -X

 And on the client side with Live HTTP Headers (firefox extension) what
 contain the redirection ?

 Regards
 Fabrice


 Le 2015-05-21 15:46, J Nelson a écrit :

   I'm running version 4.5.1

  my subroutine looks like:
 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
 $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Here is what even more awesome - I just fired up my first PF test install.
Same CentOS, same PF Version, same WLC Webauth, and it works for IOS.

But, what is interesting, is that on my first, test PF install, after
logging in at the captive portal, I got a server not found error, so you
had me do:

your issue is the end redirection.

a quick fix is to edit
html/captive-portal/lib/captiveportal/PacketFence/Controller/CaptivePortal.pm
And replace:

if ( $c-request-secure ) {
$c-response-redirect( http://;
  . $Config{'general'}{'hostname'} . .
  . $Config{'general'}{'domain'}
  . '/access?destination_url='
  . uri_escape($destination_url) );
}

by:

if ( $c-request-secure ) {
$c-response-redirect( http://10.3.0.3;
  . '/access?destination_url='
  . uri_escape($destination_url) );
}



So, once that test install was all working,  i went ahead and installed on
the production hardware.  Same versions of everything, but, i did not have
to apply that fix above.  So other than the modifications you had me do to
get multiple webauth portals on my production install, they should be by
and large the same.  I would also add, that I did make a snapshot of my
production PF box before I made any of the multi web auth portal changes.
If i go back to that snapshot, IOS still doesnt work.  So, I have a working
instance on a low powered box, I just dont know what the difference is at
this point.

On Wed, May 27, 2015 at 9:48 AM, Fabrice DURAND fdur...@inverse.ca wrote:

  In fact the WLC will probably have to intercept http://
 www.apple.com/library/test/success.html and reply a 302 to
 http://10.5.0.3/cep221d28 to see a popup on the apple device.
 If you can have a capture of the http traffic between the device and the
 wlc.

 Regards
 Fabrice




 Le 2015-05-27 10:22, J Nelson a écrit :

 no, what exactly would i ask them?  I dont understand the process enough
 to fully understand what I'd open a case on...

 On Wed, May 27, 2015 at 9:11 AM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Because the WLC do the redirection it suppose to answer the correct
 stuff for iso portal detection.
 Did you ask cisco about that ?

 Regards
 Fabrice

 Le 2015-05-27 10:05, J Nelson a écrit :

 no, in httpd.portal.access, this is the output i see (below), I dont see
 anything at all related to the IOS clients. 10.5.0.13 is a win7 client i've
 been testing with.  But i see nothing at all for the IOS clients.  I
 searched for '/library/test/success.html' in httpd.portal.access and
 nothing is found.


 10.5.0.13 - - [26/May/2015:16:01:10 -0500] GET /cepe7b74e HTTP/1.1 302
 906 -
  Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:01:19 -0500] GET /cepe7b74e HTTP/1.1 302
 906 -
  Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:02:03 -0500] GET /cepe7b74e HTTP/1.1 302
 906 -
  Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:03:42 -0500] GET /cep221d28 HTTP/1.1 302
 880 -
  Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:03:43 -0500] GET
 /captive-portal?destination_url==
 http://10.5.0.3/cep221d28; HTTP/1.1 200 3099 - Mozilla/5.0 (Windows
 NT 6.1;
 rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:03:49 -0500] POST /signup HTTP/1.1 200
 11496 htt
 tp://10.5.0.3/captive-portal?destination_url=http://10.5.0.3/cep221d28;
 Mozilll
 a/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:10:47 -0500] GET /cepe98b0a HTTP/1.1 302
 880 -
  Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:10:48 -0500] GET
 /captive-portal?destination_url==
 http://10.5.0.3/cepe98b0a; HTTP/1.1 200 3099 - Mozilla/5.0 (Windows
 NT 6.1;
 rv:38.0) Gecko/20100101 Firefox/38.0
 10.5.0.13 - - [26/May/2015:16:10:56 -0500] POST /signup HTTP/1.1 200
 11496 htt
 tp://10.5.0.3/captive-portal?destination_url=http://10.5.0.3/cepe98b0a;
 Mozilll
 a/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 10.4.0.3 - - [27/May/2015:07:37:52 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:53 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:54 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:55 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:56 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:57 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:58 -0500] OPTIONS * HTTP/1.0 200 - -
 Apachee
  (internal dummy connection)
 10.4.0.3 - - [27/May/2015:07:37:59 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Fabrice,


1st of all: thanks for all the help.

2nd: my issue wound up being my WLC access list - i forgot to permit the
guest network PF portal ip address ( 10.5.0.3) in my PreAuthACL.  So, once
I put that in, the loop on the guest side stopped, and its working like I
had wanted.  Testing so far looks good.

thanks again!

On Mon, May 25, 2015 at 7:46 AM, Fabrice DURAND fdur...@inverse.ca wrote:

  Hello Justin,

 to have radius in debug mode let's kill radius before (pkill radiusd) and
 retry.

 Other stuff, can you check in httpd.portal.access to see if it's the
 portal that loop or the wlc.
 If it's the wlc then you probably have to check the debug/acl.

 Regards
 Fabrice



 Le 2015-05-22 11:29, J Nelson a écrit :

  Ok, so the headers looks something like this, it repeats forever when
 redirected:

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 HTTP/1.1 200 OK
 Location: http://10.5.0.3/cep0a5a10
 Content-Type: text/html
 Content-Length: 278
 --http://10.5.0.3/cep0a5a10

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 HTTP/1.1 200 OK
 Location: http://10.5.0.3/cep0a5a10
 Content-Type: text/html
 Content-Length: 278
 --http://10.5.0.3/cep0a5a10

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 As for the radius debug, there is quite a bit of output, what am i looking
 for?  I guess I can copy what I found interesting in it that would pertain
 to the WLC:

 rlm_sql (sql): Read entry
 nasname=172.16.4.4,shortname=172.16.4.4,secret=private
 rlm_sql (sql): Adding client 172.16.4.4 (172.16.4.4, server=none) to
 clients list

 adiusd:  Opening IP addresses and Ports 
 listen {
  type = auth
  virtual_server = packetfence
  ipaddr = 10.10.1.13
  port = 0
 Failed binding to authentication address 10.10.1.13 port 1812 as server
 packetfence: Address already in use
 /usr/local/pf/raddb//radiusd.conf[37]: Error binding to port for
 10.10.1.13 port 1812

  radiusd.conf line starting at line 37:

 listen {
 type = auth
 ipaddr = 10.10.1.13
 port = 0
 virtual_server = packetfence
 }

 listen {
 ipaddr = 10.10.1.13
 port = 0
 type = acct
 virtual_server = packetfence
 }


 On Thu, May 21, 2015 at 3:02 PM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Ok so the problem is elsewhere.

 Can you check with radius in debug mode is the vsa are correct ?
 radiusd -d /usr/local/pf/raddb/ -X

 And on the client side with Live HTTP Headers (firefox extension) what
 contain the redirection ?

 Regards
 Fabrice


 Le 2015-05-21 15:46, J Nelson a écrit :

   I'm running version 4.5.1

  my subroutine looks like:
 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
 $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
  my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[Fabrice DURAND]

Hello Justin,

to have radius in debug mode let's kill radius before (pkill radiusd)
and retry.

Other stuff, can you check in httpd.portal.access to see if it's the
portal that loop or the wlc.
If it's the wlc then you probably have to check the debug/acl.

Regards
Fabrice


Le 2015-05-22 11:29, J Nelson a écrit :
 Ok, so the headers looks something like this, it repeats forever when
 redirected:

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 HTTP/1.1 200 OK
 Location: http://10.5.0.3/cep0a5a10
 Content-Type http://10.5.0.3/cep0a5a10%0AContent-Type: text/html
 Content-Length: 278
 --
 http://10.5.0.3/cep0a5a10

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0

 HTTP/1.1 200 OK
 Location: http://10.5.0.3/cep0a5a10
 Content-Type http://10.5.0.3/cep0a5a10%0AContent-Type: text/html
 Content-Length: 278
 --
 http://10.5.0.3/cep0a5a10

 GET /cep0a5a10 HTTP/1.1
 Host: 10.5.0.3
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Cache-Control: max-age=0
 As for the radius debug, there is quite a bit of output, what am i
 looking for?  I guess I can copy what I found interesting in it that
 would pertain to the WLC:

 rlm_sql (sql): Read entry
 nasname=172.16.4.4,shortname=172.16.4.4,secret=private
 rlm_sql (sql): Adding client 172.16.4.4 (172.16.4.4, server=none) to
 clients list

 adiusd:  Opening IP addresses and Ports 
 listen {
  type = auth
  virtual_server = packetfence
  ipaddr = 10.10.1.13
  port = 0
 Failed binding to authentication address 10.10.1.13 port 1812 as
 server packetfence: Address already in use
 /usr/local/pf/raddb//radiusd.conf[37]: Error binding to port for
 10.10.1.13 port 1812

 radiusd.conf line starting at line 37:

 listen {
 type = auth
 ipaddr = 10.10.1.13
 port = 0
 virtual_server = packetfence
 }

 listen {
 ipaddr = 10.10.1.13
 port = 0
 type = acct
 virtual_server = packetfence
 }


 On Thu, May 21, 2015 at 3:02 PM, Fabrice DURAND fdur...@inverse.ca
 mailto:fdur...@inverse.ca wrote:

 Ok so the problem is elsewhere.

 Can you check with radius in debug mode is the vsa are correct ?
 radiusd -d /usr/local/pf/raddb/ -X

 And on the client side with Live HTTP Headers (firefox extension)
 what contain the redirection ?

 Regards
 Fabrice

  
 Le 2015-05-21 15:46, J Nelson a écrit :
 I'm running version 4.5.1

 my subroutine looks like:
 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name,
 $ssid, $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
  my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning
 ACCEPT with role: $role);
 }

 its different than what you posted.  If I put in the entire code
 that you 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Ok, so the headers looks something like this, it repeats forever when
redirected:

GET /cep0a5a10 HTTP/1.1
Host: 10.5.0.3
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.1 200 OK
Location: http://10.5.0.3/cep0a5a10
Content-Type: text/html
Content-Length: 278
--http://10.5.0.3/cep0a5a10

GET /cep0a5a10 HTTP/1.1
Host: 10.5.0.3
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.1 200 OK
Location: http://10.5.0.3/cep0a5a10
Content-Type: text/html
Content-Length: 278
--http://10.5.0.3/cep0a5a10

GET /cep0a5a10 HTTP/1.1
Host: 10.5.0.3
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0

As for the radius debug, there is quite a bit of output, what am i looking
for?  I guess I can copy what I found interesting in it that would pertain
to the WLC:

rlm_sql (sql): Read entry
nasname=172.16.4.4,shortname=172.16.4.4,secret=private
rlm_sql (sql): Adding client 172.16.4.4 (172.16.4.4, server=none) to
clients list

adiusd:  Opening IP addresses and Ports 
listen {
 type = auth
 virtual_server = packetfence
 ipaddr = 10.10.1.13
 port = 0
Failed binding to authentication address 10.10.1.13 port 1812 as server
packetfence: Address already in use
/usr/local/pf/raddb//radiusd.conf[37]: Error binding to port for 10.10.1.13
port 1812

radiusd.conf line starting at line 37:

listen {
type = auth
ipaddr = 10.10.1.13
port = 0
virtual_server = packetfence
}

listen {
ipaddr = 10.10.1.13
port = 0
type = acct
virtual_server = packetfence
}


On Thu, May 21, 2015 at 3:02 PM, Fabrice DURAND fdur...@inverse.ca wrote:

  Ok so the problem is elsewhere.

 Can you check with radius in debug mode is the vsa are correct ?
 radiusd -d /usr/local/pf/raddb/ -X

 And on the client side with Live HTTP Headers (firefox extension) what
 contain the redirection ?

 Regards
 Fabrice


 Le 2015-05-21 15:46, J Nelson a écrit :

   I'm running version 4.5.1

  my subroutine looks like:
 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
 $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
  my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
 role: $role);
 }

  its different than what you posted.  If I put in the entire code that you
 posted, neither of the SSID's will work anymore.  If I include this code:
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
 role: $role);
 }

  then 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[Fabrice DURAND]

Ok so the problem is elsewhere.

Can you check with radius in debug mode is the vsa are correct ?
radiusd -d /usr/local/pf/raddb/ -X

And on the client side with Live HTTP Headers (firefox extension) what
contain the redirection ?

Regards
Fabrice
 
Le 2015-05-21 15:46, J Nelson a écrit :
 I'm running version 4.5.1

 my subroutine looks like:
 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name,
 $ssid, $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
  my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT
 with role: $role);
 }

 its different than what you posted.  If I put in the entire code that
 you posted, neither of the SSID's will work anymore.  If I include
 this code:
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT
 with role: $role);
 }

 then Webreg-Production works, and Augie-Guest appears to continuously
 loop.



 On Thu, May 21, 2015 at 12:05 PM, Fabrice DURAND fdur...@inverse.ca
 mailto:fdur...@inverse.ca wrote:

 The function is like that ? :

 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name,
 $ssid, $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 my $violation = pf::violation::violation_view_top($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED
  !defined($violation)) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
 pf::locationlog::locationlog_set_session($mac,
 $session_id{_session_id});
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning
 ACCEPT with role: $role);
 }

 Also check the httpd.admin... log files, you should be able to see
 what is the error.

 Regards
 Fabrice





 Le 2015-05-21 12:28, J Nelson a écrit :
 Closer, but not quite.  So, my code now looks like:

   my $portal_url;
 if ( $ssid eq Webreg-Production) {
  

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Fabrice,

I tried to add what you provided to the code of WLC_http.pm, but once I do
it, I get put into an endless redirect loop on both networks.  I do see
that each network is trying to redirect to the proper portal IP.  I'm
putting what I have in WLC_http.pm - i'm including some lines before and
after the code tweak you provided - just so you can see if anything is
missing before/after like a { or ; somewhere.

  my $role = $this-getRoleByName($user_role);
# Roles are configured and the user should have one
if (defined($role)  isenabled($this-{_RoleMap})) {
my $node_info = node_view($mac);
if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
$radius_reply_ref = {
'User-Name' = $mac,
$this-returnRoleAttribute = $role,
};
}
else {
my (%session_id);
pf::web::util::session(\%session_id,undef,6);
$session_id{client_mac} = $mac;
$session_id{wlan} = $ssid;
$session_id{switch_id} = $this-{_id};
my $portal_url;
if ( $ssid eq Webreg-Production) {
$portal_url=10.4.0.3;
}elsif ( $ssid eq Augie-Guest) {
$portal_url=10.5.0.3;
} else {
$portal_url=$this-{'_portalURL'};
}

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' =
[url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
};

}
$logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
role: $role);
}




On Wed, May 20, 2015 at 9:33 AM, Fabrice DURAND fdur...@inverse.ca wrote:

  Hi John,

 so you will have to go in the code because there is only one portal url
 per switch config.

 So let's do a hack:

 https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161

 my $portal_url;
 if ( $ssid eq Staff) {
 $portal_url=10.4.0.3;
 }elsif ( $ssid eq Guest) {
 $portal_url=10.5.0.3;
 } else {
 $portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };


 Regards
 Fabrice



 Le 2015-05-20 09:40, J Nelson a écrit :

 Fabrice, I am purely Web Auth via Cisco WLC.

  So, in that configuration, I dont believe there is any way to change
 VLANs - as Web Auth is purely controlling access via ACL's on the WLC.
  - now if i'm wrong on this, I need to be pointed in the right direction.

  So, I am trying to figure out how to basically have two registration
 interfaces in a pure WLC Web Auth setup:
  Vlan4 - Staff/Fac
  Vlan5 - Guest

  but, it looks like I can only have portal, since i setup Vlan 4 first -
 the portal exists on that address space/subnet.  So, the issue I'm having,
 when i join the Guest network, a client in that network is unable to get to
 the portal page.  It looks like a redirect is happening, but i just cant
 get to it (the PF portal).  The ACL on the WLC is indicating that the
 traffic is being passed, but I dont believe IPtables on the PF box is
 allowing it. A client in the Guest network definitely cannot get to
 http/https on the PF portal ip address (confirming via an NMAP scan).

  So i guess the question is, providing you understand what I'm trying to
 accomplish,can i have multiple Registration interfaces  that use the same
 PF portal? And what are the configuration requirements?  Throwing up two PF
 boxes - one for Staff/Fac/Student one for Guest would certainly work, just
 curious if I can do it all in one box.

  thanks..

 On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Hello Nelson,

 i am not sure to understand what you really want to do.

 Let's say you have a registration network: VLAN 4
 A production network for the staff and a production network for the guest
 (5).

 When a device is unreg then packetfence will return the vlan 5 and the
 device will hit the portal.
 Then depending if it's a Staff or a guest then after registration the
 device will be placed on his production network (depending of his role).

 Is it something like that you want to achieve ?

 Regards
 Fabrice


 Le 2015-05-19 14:18, J Nelson a écrit :

   any role configured on a different subnet other than the native subnet
 where the captive portal is located will not work.

 So, what i do have working is my Fac-Staff SSID which is on VLAN 4/
 10.4.0.0/24
 captive portal is located at: 10.4.0.3
 WLC is configured at Network | Switches | and is configured to do Role by
 Switch Role, where WLC ACL’s are entered to define Registration and then
 Fac-Staff access upon registration.

 The Portal URL is in the Fac-Staff registration network - IP address, in
 this case: 10.4.0.3

 So, the problem I’m running into, is that i want Guests on a different
 subnet and SSID other than where Fac-Staff reside.  So I create a new
 interface, on a different subnet, as: Type - Registration, and 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

I'm running version 4.5.1

my subroutine looks like:
sub returnRadiusAccessAccept {
my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
$wasInline, $user_role) = @_;
my $logger = Log::Log4perl::get_logger( ref($this) );

my $radius_reply_ref = {};

my $role = $this-getRoleByName($user_role);
# Roles are configured and the user should have one
if (defined($role)  isenabled($this-{_RoleMap})) {
my $node_info = node_view($mac);
if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
$radius_reply_ref = {
'User-Name' = $mac,
$this-returnRoleAttribute = $role,
};
}
else {
my (%session_id);
pf::web::util::session(\%session_id,undef,6);
$session_id{client_mac} = $mac;
$session_id{wlan} = $ssid;
$session_id{switch_id} = $this-{_id};
 my $portal_url;
if ( $ssid eq Webreg-Production) {
$portal_url='http://10.4.0.3';
}elsif ( $ssid eq Augie-Guest) {
$portal_url='http://10.5.0.3';
} else {
   $portal_url=$this-{'_portalURL'};
}

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' =
[url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
};
}
$logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
role: $role);
}

its different than what you posted.  If I put in the entire code that you
posted, neither of the SSID's will work anymore.  If I include this code:
my $portal_url;
if ( $ssid eq Webreg-Production) {
$portal_url='http://10.4.0.3';
}elsif ( $ssid eq Augie-Guest) {
$portal_url='http://10.5.0.3';
} else {
   $portal_url=$this-{'_portalURL'};
}

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' =
[url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
};
}
$logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
role: $role);
}

then Webreg-Production works, and Augie-Guest appears to continuously loop.



On Thu, May 21, 2015 at 12:05 PM, Fabrice DURAND fdur...@inverse.ca wrote:

  The function is like that ? :

 sub returnRadiusAccessAccept {
 my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
 $wasInline, $user_role) = @_;
 my $logger = Log::Log4perl::get_logger( ref($this) );

 my $radius_reply_ref = {};

 my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 my $violation = pf::violation::violation_view_top($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED 
 !defined($violation)) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
 pf::locationlog::locationlog_set_session($mac,
 $session_id{_session_id});
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
 } else {
$portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
 role: $role);
 }

 Also check the httpd.admin... log files, you should be able to see what is
 the error.

 Regards
 Fabrice





 Le 2015-05-21 12:28, J Nelson a écrit :

Closer, but not quite.  So, my code now looks like:

   my $portal_url;
 if ( $ssid eq Webreg-Production) {
  $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
  $portal_url='http://10.5.0.3';
 } else {
 $portal_url=$this-{'_portalURL'};
 };

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }

  So this is what I am experiencing now:
  Webreg-Production SSID works
  Augie-Guest SSID continues to loop
  in the packetfence GUI, under Network, when I click Switches i get:
 *Error!* An error occured while contacting the server. Please try 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[Fabrice DURAND]

Hi Nelson,

my bad:

$portal_url=10.4.0.3; = $portal_url='http://10.4.0.3';
$portal_url=10.5.0.3; = $portal_url='http://10.5.0.3';

Regards
Fabrice

Le 2015-05-21 10:47, J Nelson a écrit :
 Fabrice,

 I tried to add what you provided to the code of WLC_http.pm, but once
 I do it, I get put into an endless redirect loop on both networks.  I
 do see that each network is trying to redirect to the proper portal
 IP.  I'm putting what I have in WLC_http.pm - i'm including some lines
 before and after the code tweak you provided - just so you can see if
 anything is missing before/after like a { or ; somewhere.

   my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url=10.4.0.3;
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url=10.5.0.3;
 } else {
 $portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };

 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT
 with role: $role);
 }




 On Wed, May 20, 2015 at 9:33 AM, Fabrice DURAND fdur...@inverse.ca
 mailto:fdur...@inverse.ca wrote:

 Hi John,

 so you will have to go in the code because there is only one
 portal url per switch config.

 So let's do a hack:
 
 https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161

 my $portal_url;
 if ( $ssid eq Staff) {
 $portal_url=10.4.0.3;
 }elsif ( $ssid eq Guest) {
 $portal_url=10.5.0.3;
 } else {
 $portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };


 Regards
 Fabrice



 Le 2015-05-20 09:40, J Nelson a écrit :
 Fabrice, I am purely Web Auth via Cisco WLC.

 So, in that configuration, I dont believe there is any way to
 change VLANs - as Web Auth is purely controlling access via ACL's
 on the WLC.
 - now if i'm wrong on this, I need to be pointed in the right
 direction.

 So, I am trying to figure out how to basically have two
 registration interfaces in a pure WLC Web Auth setup:
 Vlan4 - Staff/Fac
 Vlan5 - Guest

 but, it looks like I can only have portal, since i setup Vlan 4
 first - the portal exists on that address space/subnet.  So, the
 issue I'm having, when i join the Guest network, a client in that
 network is unable to get to the portal page.  It looks like a
 redirect is happening, but i just cant get to it (the PF
 portal).  The ACL on the WLC is indicating that the traffic is
 being passed, but I dont believe IPtables on the PF box is
 allowing it. A client in the Guest network definitely cannot get
 to http/https on the PF portal ip address (confirming via an NMAP
 scan). 

 So i guess the question is, providing you understand what I'm
 trying to accomplish,can i have multiple Registration interfaces 
 that use the same PF portal? And what are the configuration
 requirements?  Throwing up two PF boxes - one for
 Staff/Fac/Student one for Guest would certainly work, just
 curious if I can do it all in one box.

 thanks..

 On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND
 fdur...@inverse.ca mailto:fdur...@inverse.ca wrote:

 Hello Nelson,

 i am not sure to understand what you really want to do.

 Let's say you have a registration network: VLAN 4
 A production network for the staff and a production network
 for the guest (5).

 When a device is unreg then packetfence will return the vlan
 5 and the device will hit the portal.
 Then depending if it's a Staff or a guest then after
 registration the device will be placed on his production
 network (depending of his role).

 Is it something like that you want to achieve ?

 Regards
 Fabrice


 Le 2015-05-19 14:18, J Nelson a écrit :
 any role configured on a different subnet other than the
 native subnet where the captive portal is located will not work.

 So, 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Closer, but not quite.  So, my code now looks like:

  my $portal_url;
if ( $ssid eq Webreg-Production) {
 $portal_url='http://10.4.0.3';
}elsif ( $ssid eq Augie-Guest) {
 $portal_url='http://10.5.0.3';
} else {
$portal_url=$this-{'_portalURL'};
};

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' =
[url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
};
}

So this is what I am experiencing now:
Webreg-Production SSID works
Augie-Guest SSID continues to loop
in the packetfence GUI, under Network, when I click Switches i get: *Error!* An
error occured while contacting the server. Please try again later.
I'm not seeing an error when packetfence starts.

On Thu, May 21, 2015 at 10:40 AM, Fabrice DURAND fdur...@inverse.ca wrote:

  Hi Nelson,

 my bad:

 $portal_url=10.4.0.3; = $portal_url='http://10.4.0.3';
 $portal_url=10.5.0.3; = $portal_url='http://10.5.0.3';

 Regards
 Fabrice


 Le 2015-05-21 10:47, J Nelson a écrit :

  Fabrice,

  I tried to add what you provided to the code of WLC_http.pm, but once I
 do it, I get put into an endless redirect loop on both networks.  I do see
 that each network is trying to redirect to the proper portal IP.  I'm
 putting what I have in WLC_http.pm - i'm including some lines before and
 after the code tweak you provided - just so you can see if anything is
 missing before/after like a { or ; somewhere.

   my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url=10.4.0.3;
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url=10.5.0.3;
 } else {
 $portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };

 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
 role: $role);
 }




 On Wed, May 20, 2015 at 9:33 AM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Hi John,

 so you will have to go in the code because there is only one portal url
 per switch config.

 So let's do a hack:

 https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161

 my $portal_url;
 if ( $ssid eq Staff) {
 $portal_url=10.4.0.3;
 }elsif ( $ssid eq Guest) {
 $portal_url=10.5.0.3;
 } else {
 $portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };


 Regards
 Fabrice



 Le 2015-05-20 09:40, J Nelson a écrit :

 Fabrice, I am purely Web Auth via Cisco WLC.

  So, in that configuration, I dont believe there is any way to change
 VLANs - as Web Auth is purely controlling access via ACL's on the WLC.
  - now if i'm wrong on this, I need to be pointed in the right direction.

  So, I am trying to figure out how to basically have two registration
 interfaces in a pure WLC Web Auth setup:
  Vlan4 - Staff/Fac
  Vlan5 - Guest

  but, it looks like I can only have portal, since i setup Vlan 4 first -
 the portal exists on that address space/subnet.  So, the issue I'm having,
 when i join the Guest network, a client in that network is unable to get to
 the portal page.  It looks like a redirect is happening, but i just cant
 get to it (the PF portal).  The ACL on the WLC is indicating that the
 traffic is being passed, but I dont believe IPtables on the PF box is
 allowing it. A client in the Guest network definitely cannot get to
 http/https on the PF portal ip address (confirming via an NMAP scan).

  So i guess the question is, providing you understand what I'm trying to
 accomplish,can i have multiple Registration interfaces  that use the same
 PF portal? And what are the configuration requirements?  Throwing up two PF
 boxes - one for Staff/Fac/Student one for Guest would certainly work, just
 curious if I can do it all in one box.

  thanks..

 On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND fdur...@inverse.ca
 wrote:

  Hello Nelson,

 i am not sure to understand what you really want to do.

 Let's say you have a registration network: VLAN 4
 A production network for the staff and a production network for the
 guest (5).

 When a device is unreg then 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[Fabrice DURAND]

The function is like that ? :

sub returnRadiusAccessAccept {
my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
$wasInline, $user_role) = @_;
my $logger = Log::Log4perl::get_logger( ref($this) );

my $radius_reply_ref = {};

my $role = $this-getRoleByName($user_role);
# Roles are configured and the user should have one
if (defined($role)  isenabled($this-{_RoleMap})) {
my $node_info = node_view($mac);
my $violation = pf::violation::violation_view_top($mac);
if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED 
!defined($violation)) {
$radius_reply_ref = {
'User-Name' = $mac,
$this-returnRoleAttribute = $role,
};
}
else {
my (%session_id);
pf::web::util::session(\%session_id,undef,6);
$session_id{client_mac} = $mac;
$session_id{wlan} = $ssid;
$session_id{switch_id} = $this-{_id};
pf::locationlog::locationlog_set_session($mac,
$session_id{_session_id});
my $portal_url;
if ( $ssid eq Webreg-Production) {
$portal_url='http://10.4.0.3';
}elsif ( $ssid eq Augie-Guest) {
$portal_url='http://10.5.0.3';
} else {
   $portal_url=$this-{'_portalURL'};
}

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' =
[url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
};
}
$logger-info([$mac] (.$this-{'_id'}.) Returning ACCEPT with
role: $role);
}

Also check the httpd.admin... log files, you should be able to see what
is the error.

Regards
Fabrice




Le 2015-05-21 12:28, J Nelson a écrit :
 Closer, but not quite.  So, my code now looks like:

   my $portal_url;
 if ( $ssid eq Webreg-Production) {
  $portal_url='http://10.4.0.3';
 }elsif ( $ssid eq Augie-Guest) {
  $portal_url='http://10.5.0.3';
 } else {
 $portal_url=$this-{'_portalURL'};
 };

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };
 }

 So this is what I am experiencing now:
 Webreg-Production SSID works
 Augie-Guest SSID continues to loop
 in the packetfence GUI, under Network, when I click Switches i get:
 *Error!* An error occured while contacting the server. Please try
 again later.
 I'm not seeing an error when packetfence starts.

 On Thu, May 21, 2015 at 10:40 AM, Fabrice DURAND fdur...@inverse.ca
 mailto:fdur...@inverse.ca wrote:

 Hi Nelson,

 my bad:

 $portal_url=10.4.0.3; = $portal_url='http://10.4.0.3';
 $portal_url=10.5.0.3; = $portal_url='http://10.5.0.3';

 Regards
 Fabrice


 Le 2015-05-21 10:47, J Nelson a écrit :
 Fabrice,

 I tried to add what you provided to the code of WLC_http.pm, but
 once I do it, I get put into an endless redirect loop on both
 networks.  I do see that each network is trying to redirect to
 the proper portal IP.  I'm putting what I have in WLC_http.pm -
 i'm including some lines before and after the code tweak you
 provided - just so you can see if anything is missing
 before/after like a { or ; somewhere.

   my $role = $this-getRoleByName($user_role);
 # Roles are configured and the user should have one
 if (defined($role)  isenabled($this-{_RoleMap})) {
 my $node_info = node_view($mac);
 if ($node_info-{'status'} eq $pf::node::STATUS_REGISTERED) {
 $radius_reply_ref = {
 'User-Name' = $mac,
 $this-returnRoleAttribute = $role,
 };
 }
 else {
 my (%session_id);
 pf::web::util::session(\%session_id,undef,6);
 $session_id{client_mac} = $mac;
 $session_id{wlan} = $ssid;
 $session_id{switch_id} = $this-{_id};
 my $portal_url;
 if ( $ssid eq Webreg-Production) {
 $portal_url=10.4.0.3;
 }elsif ( $ssid eq Augie-Guest) {
 $portal_url=10.5.0.3;
 } else {
 $portal_url=$this-{'_portalURL'};
 }

 $radius_reply_ref = {
 'User-Name' = $mac,
 'Cisco-AVPair' =
 
 [url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
 };

 }
 $logger-info([$mac] (.$this-{'_id'}.) Returning
 ACCEPT with role: $role);
 }




 On Wed, May 20, 2015 at 9:33 AM, Fabrice DURAND
 fdur...@inverse.ca mailto:fdur...@inverse.ca wrote:

 Hi John,

 so you will have to go in the code because there is only one
 portal url per switch config.

 So let's do a hack:
 
 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[Fabrice DURAND]

Hello Nelson,

i am not sure to understand what you really want to do.

Let's say you have a registration network: VLAN 4
A production network for the staff and a production network for the
guest (5).

When a device is unreg then packetfence will return the vlan 5 and the
device will hit the portal.
Then depending if it's a Staff or a guest then after registration the
device will be placed on his production network (depending of his role).

Is it something like that you want to achieve ?

Regards
Fabrice

Le 2015-05-19 14:18, J Nelson a écrit :
 any role configured on a different subnet other than the native subnet
 where the captive portal is located will not work.

 So, what i do have working is my Fac-Staff SSID which is on VLAN
 4/10.4.0.0/24 http://10.4.0.0/24
 captive portal is located at: 10.4.0.3
 WLC is configured at Network | Switches | and is configured to do Role
 by Switch Role, where WLC ACL’s are entered to define Registration and
 then Fac-Staff access upon registration. 

 The Portal URL is in the Fac-Staff registration network - IP address,
 in this case: 10.4.0.3

 So, the problem I’m running into, is that i want Guests on a different
 subnet and SSID other than where Fac-Staff reside.  So I create a new
 interface, on a different subnet, as: Type - Registration, and
 configure a new SSID on the WLC side.

 So, for now, I configure the WLC under switches with the same ACL’s as
 Fac-Staff for the Guest role - just for simplicity i’m using the same
 ACL’s for now, since I know they work.

 The Guest network info is: vlan 5 | 10.5.0.0

 So, when logging on as guest, it appears as though a redirect attempts
 to happen, but doing a port scan shows that a computer attached to the
 guest SSID does not have http/https available to them on 10.4.0.3 -
 the captive portal.

 looking at the PF iptables config, it appears as though there is a
 variable that says any registration network should have access to the
 captive portal. but that seems t not be the case.

 So, why am i trying to configure this?
 with guests on a different vlan, i can very easily control the
 bandwidth available to them in multiple places - from the WLC, from
 the core switches, or from our NetEnforcer. 

 Basic network configuration is correct: PF can ping guest network
 gateway and WLC interfaces as well.

 But, it seems to me like its definitely in IPTables, but I'm hesitant
 to make changes in case what i'm trying to accomplish is way off base.

 Hopefully its somewhat clear what i’m trying to do here, any ideas?

 -- 
 Justin Nelson
 Network Engineer
 Augustana College


 --
 One dashboard for servers and applications across Physical-Virtual-Cloud 
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM Insight.
 http://ad.doubleclick.net/ddm/clk/290420510;117567292;y


 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



0xF78F957E.asc
Description: application/pgp-keys
--
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[J Nelson]

Fabrice, I am purely Web Auth via Cisco WLC.

So, in that configuration, I dont believe there is any way to change VLANs
- as Web Auth is purely controlling access via ACL's on the WLC.
- now if i'm wrong on this, I need to be pointed in the right direction.

So, I am trying to figure out how to basically have two registration
interfaces in a pure WLC Web Auth setup:
Vlan4 - Staff/Fac
Vlan5 - Guest

but, it looks like I can only have portal, since i setup Vlan 4 first - the
portal exists on that address space/subnet.  So, the issue I'm having, when
i join the Guest network, a client in that network is unable to get to the
portal page.  It looks like a redirect is happening, but i just cant get to
it (the PF portal).  The ACL on the WLC is indicating that the traffic is
being passed, but I dont believe IPtables on the PF box is allowing it. A
client in the Guest network definitely cannot get to http/https on the PF
portal ip address (confirming via an NMAP scan).

So i guess the question is, providing you understand what I'm trying to
accomplish,can i have multiple Registration interfaces  that use the same
PF portal? And what are the configuration requirements?  Throwing up two PF
boxes - one for Staff/Fac/Student one for Guest would certainly work, just
curious if I can do it all in one box.

thanks..

On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND fdur...@inverse.ca wrote:

  Hello Nelson,

 i am not sure to understand what you really want to do.

 Let's say you have a registration network: VLAN 4
 A production network for the staff and a production network for the guest
 (5).

 When a device is unreg then packetfence will return the vlan 5 and the
 device will hit the portal.
 Then depending if it's a Staff or a guest then after registration the
 device will be placed on his production network (depending of his role).

 Is it something like that you want to achieve ?

 Regards
 Fabrice


 Le 2015-05-19 14:18, J Nelson a écrit :

  any role configured on a different subnet other than the native subnet
 where the captive portal is located will not work.

 So, what i do have working is my Fac-Staff SSID which is on VLAN 4/
 10.4.0.0/24
 captive portal is located at: 10.4.0.3
 WLC is configured at Network | Switches | and is configured to do Role by
 Switch Role, where WLC ACL’s are entered to define Registration and then
 Fac-Staff access upon registration.

 The Portal URL is in the Fac-Staff registration network - IP address, in
 this case: 10.4.0.3

 So, the problem I’m running into, is that i want Guests on a different
 subnet and SSID other than where Fac-Staff reside.  So I create a new
 interface, on a different subnet, as: Type - Registration, and configure a
 new SSID on the WLC side.

 So, for now, I configure the WLC under switches with the same ACL’s as
 Fac-Staff for the Guest role - just for simplicity i’m using the same ACL’s
 for now, since I know they work.

 The Guest network info is: vlan 5 | 10.5.0.0

 So, when logging on as guest, it appears as though a redirect attempts to
 happen, but doing a port scan shows that a computer attached to the guest
 SSID does not have http/https available to them on 10.4.0.3 - the captive
 portal.

 looking at the PF iptables config, it appears as though there is a
 variable that says any registration network should have access to the
 captive portal. but that seems t not be the case.

 So, why am i trying to configure this?
 with guests on a different vlan, i can very easily control the bandwidth
 available to them in multiple places - from the WLC, from the core
 switches, or from our NetEnforcer.

  Basic network configuration is correct: PF can ping guest network gateway
 and WLC interfaces as well.

  But, it seems to me like its definitely in IPTables, but I'm hesitant to
 make changes in case what i'm trying to accomplish is way off base.

 Hopefully its somewhat clear what i’m trying to do here, any ideas?

 --
   Justin Nelson
  Network Engineer
  Augustana College


 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 50+ applications
 Performance metrics, stats and reports that give you Actionable Insights
 Deep dive visibility with transaction tracing using APM 
 Insight.http://ad.doubleclick.net/ddm/clk/290420510;117567292;y



 ___
 PacketFence-users mailing 
 listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users



 --
 Fabrice durandfdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
 Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
 (http://packetfence.org)



 --
 One dashboard for servers and applications across Physical-Virtual-Cloud
 Widest out-of-the-box monitoring support with 

Re: [PacketFence-users] Cisco WLC HTTP authentication - multiple roles/subnets vs one portal

[Fabrice DURAND]

Hi John,

so you will have to go in the code because there is only one portal url
per switch config.

So let's do a hack:
https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161

my $portal_url;
if ( $ssid eq Staff) {
$portal_url=10.4.0.3;
}elsif ( $ssid eq Guest) {
$portal_url=10.5.0.3;
} else {
$portal_url=$this-{'_portalURL'};
}

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' =
[url-redirect-acl=$role,url-redirect=.$portal_url./cep$session_id{_session_id}],
};


Regards
Fabrice


Le 2015-05-20 09:40, J Nelson a écrit :
 Fabrice, I am purely Web Auth via Cisco WLC.

 So, in that configuration, I dont believe there is any way to change
 VLANs - as Web Auth is purely controlling access via ACL's on the WLC.
 - now if i'm wrong on this, I need to be pointed in the right direction.

 So, I am trying to figure out how to basically have two registration
 interfaces in a pure WLC Web Auth setup:
 Vlan4 - Staff/Fac
 Vlan5 - Guest

 but, it looks like I can only have portal, since i setup Vlan 4 first
 - the portal exists on that address space/subnet.  So, the issue I'm
 having, when i join the Guest network, a client in that network is
 unable to get to the portal page.  It looks like a redirect is
 happening, but i just cant get to it (the PF portal).  The ACL on the
 WLC is indicating that the traffic is being passed, but I dont believe
 IPtables on the PF box is allowing it. A client in the Guest network
 definitely cannot get to http/https on the PF portal ip address
 (confirming via an NMAP scan). 

 So i guess the question is, providing you understand what I'm trying
 to accomplish,can i have multiple Registration interfaces  that use
 the same PF portal? And what are the configuration requirements? 
 Throwing up two PF boxes - one for Staff/Fac/Student one for Guest
 would certainly work, just curious if I can do it all in one box.

 thanks..

 On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND fdur...@inverse.ca
 mailto:fdur...@inverse.ca wrote:

 Hello Nelson,

 i am not sure to understand what you really want to do.

 Let's say you have a registration network: VLAN 4
 A production network for the staff and a production network for
 the guest (5).

 When a device is unreg then packetfence will return the vlan 5 and
 the device will hit the portal.
 Then depending if it's a Staff or a guest then after registration
 the device will be placed on his production network (depending of
 his role).

 Is it something like that you want to achieve ?

 Regards
 Fabrice


 Le 2015-05-19 14:18, J Nelson a écrit :
 any role configured on a different subnet other than the native
 subnet where the captive portal is located will not work.

 So, what i do have working is my Fac-Staff SSID which is on VLAN
 4/10.4.0.0/24 http://10.4.0.0/24
 captive portal is located at: 10.4.0.3
 WLC is configured at Network | Switches | and is configured to do
 Role by Switch Role, where WLC ACL’s are entered to define
 Registration and then Fac-Staff access upon registration. 

 The Portal URL is in the Fac-Staff registration network - IP
 address, in this case: 10.4.0.3

 So, the problem I’m running into, is that i want Guests on a
 different subnet and SSID other than where Fac-Staff reside.  So
 I create a new interface, on a different subnet, as: Type -
 Registration, and configure a new SSID on the WLC side.

 So, for now, I configure the WLC under switches with the same
 ACL’s as Fac-Staff for the Guest role - just for simplicity i’m
 using the same ACL’s for now, since I know they work.

 The Guest network info is: vlan 5 | 10.5.0.0

 So, when logging on as guest, it appears as though a redirect
 attempts to happen, but doing a port scan shows that a computer
 attached to the guest SSID does not have http/https available to
 them on 10.4.0.3 - the captive portal.

 looking at the PF iptables config, it appears as though there is
 a variable that says any registration network should have access
 to the captive portal. but that seems t not be the case.

 So, why am i trying to configure this?
 with guests on a different vlan, i can very easily control the
 bandwidth available to them in multiple places - from the WLC,
 from the core switches, or from our NetEnforcer. 

 Basic network configuration is correct: PF can ping guest network
 gateway and WLC interfaces as well.

 But, it seems to me like its definitely in IPTables, but I'm
 hesitant to make changes in case what i'm trying to accomplish is
 way off base.

 Hopefully its somewhat clear what i’m trying to do here, any ideas?

 -- 
 Justin Nelson
 Network Engineer
 Augustana College


 
 --
 One dashboard for servers and applications across 

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Durand fabrice]

Hi Jake,

yes this is what packetfence will do.

Fabrice

Le 2014-12-15 16:28, Sallee, Jake a écrit :
 Fabrice:

 controller_ip is the parameter you are looking for.
 Can you expand a bit on that?  Are you saying that if I put:

 controller_ip = ip of my WLC

 in my switches.conf in the switch declaration it will send all my de-auth to 
 that IP and NOT the IP we have set for the switch? Because, that would be 
 awesome.


 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221

 
 From: Fabrice DURAND [fdur...@inverse.ca]
 Sent: Monday, December 15, 2014 10:35 AM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

 Hello,

 controller_ip is the parameter you are looking for.
 Just set it in your switch configuration and packetfence will use it
 instead of the radius source ip.

 Regards
 Fabrice



 Le 2014-12-15 11:28, forums a écrit :
 I have the same thing... lots of buildings with the same SSIDs but I
 drop them into different vlans based on the ip for the request.  I was
 looking through the code.. (dangerous, I know...) and was thinking that
 as I only have the one controller, hopefully I could just force it to
 use the mgmt ip of the controller during deauth instead of the ip that
 is used for the request that matches the ip in the Packetfence switches
 config file.

 I am looking around the /usr/local/pf/lib/pf/Switch/Cisco/ files.  If
 somebody has a hint on where this might be accomplished, I would
 appreciate it.

 thanks
 Sean


 On 2014-12-11 13:15, Fletcher Haynes wrote:
 Ah! I bet you have the same SSID across campus? I assign VLANs based
 on that, since we have different SSIDs across campus.

 And sure, send me an e-mail offlist, I'm happy to do a teamviewer
 session.

 On Thu, Dec 11, 2014 at 11:10 AM, Sallee, Jake jake.sal...@umhb.edu
 wrote:

 Apologies if this is obvious ...
 No apologies necessary, I appreciate the dialogue.

 We have been told we have a complicated network, so it can be
 difficult to explain in brief.  A misunderstanding is most likely a
 failure on my part to adequately explain the situation.

 I have one WiSM2 that serves all of them, with its mgmt interface
 on a different VLAN/subnet from the buildings.

 How do you assign the correct VLans to the user?  I would love to
 do a teamviewer session sometime and let you look at our config.
 Maybe the way your are doing it is the way I should be.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]
 Phax: 254-295-4221 [3]
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 12:17 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.

 Well, maybe I am not understanding something about your setup...we
 are also a college campus, and we have various subnets and VLANs for
 collections of buildings. I have one WiSM2 that serves all of them,
 with its mgmt interface on a different VLAN/subnet from the
 buildings. I do not use the Radius Server Overwrite Interface in
 AAA. Deauth works fine with this architecture.

 So I guess my question is, what is the reason for using the
 interface overwrite? Apologies if this is obvious from your prior
 messages, I might just be missing something...

 On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you doing that because you don't route between your building
 subnets?

 No, we do route between subnets.  We decided to segment the
 network like that to minimize our broadcast domains.  Being a
 college campus I have a lot of random, strange, and crappy equipment
 that hits my network every day.  With this style of network I gain
 a lot of flexibility over access as well as mitigating broadcast
 storms.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221 [3]
 
 From: Fletcher Haynes
 [fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 11:14 AM
 To:

 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.

 Ah. Are you doing that because you don't route between your
 building subnets?

 On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake

 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
 Are you using the Radius Server Overwrite

Re: [PacketFence-users] Cisco WLC users, a question for you.

[forums]

I have the same thing... lots of buildings with the same SSIDs but I 
drop them into different vlans based on the ip for the request.  I was 
looking through the code.. (dangerous, I know...) and was thinking that 
as I only have the one controller, hopefully I could just force it to 
use the mgmt ip of the controller during deauth instead of the ip that 
is used for the request that matches the ip in the Packetfence switches 
config file.

I am looking around the /usr/local/pf/lib/pf/Switch/Cisco/ files.  If 
somebody has a hint on where this might be accomplished, I would 
appreciate it.

thanks
Sean


On 2014-12-11 13:15, Fletcher Haynes wrote:
 Ah! I bet you have the same SSID across campus? I assign VLANs based
 on that, since we have different SSIDs across campus.
 
 And sure, send me an e-mail offlist, I'm happy to do a teamviewer
 session.
 
 On Thu, Dec 11, 2014 at 11:10 AM, Sallee, Jake jake.sal...@umhb.edu
 wrote:
 
 Apologies if this is obvious ...
 
 No apologies necessary, I appreciate the dialogue.
 
 We have been told we have a complicated network, so it can be
 difficult to explain in brief.  A misunderstanding is most likely a
 failure on my part to adequately explain the situation.
 
 I have one WiSM2 that serves all of them, with its mgmt interface
 on a different VLAN/subnet from the buildings.
 
 How do you assign the correct VLans to the user?  I would love to
 do a teamviewer session sometime and let you look at our config. 
 Maybe the way your are doing it is the way I should be.
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658 [2]
 Phax: 254-295-4221 [3]
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 12:17 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.
 
 Well, maybe I am not understanding something about your setup...we
 are also a college campus, and we have various subnets and VLANs for
 collections of buildings. I have one WiSM2 that serves all of them,
 with its mgmt interface on a different VLAN/subnet from the
 buildings. I do not use the Radius Server Overwrite Interface in
 AAA. Deauth works fine with this architecture.
 
 So I guess my question is, what is the reason for using the
 interface overwrite? Apologies if this is obvious from your prior
 messages, I might just be missing something...
 
 On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you doing that because you don't route between your building
 subnets?
 
 No, we do route between subnets.  We decided to segment the
 network like that to minimize our broadcast domains.  Being a
 college campus I have a lot of random, strange, and crappy equipment
 that hits my network every day.  With this style of network I gain
 a lot of flexibility over access as well as mitigating broadcast
 storms.
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221 [3]
 
 From: Fletcher Haynes
 [fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 11:14 AM
 To:
 
 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.
 
 Ah. Are you doing that because you don't route between your
 building subnets?
 
 On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake
 
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
 Are you using the Radius Server Overwrite Interface option that
 is in the AAA section for each WLAN?
 
 Yes, I wish it were that easy :(
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658 [2]tel:254-295-4658 [2]tel:254-295-4658
 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221
 [3]tel:254-295-4221tel:254-295-4221
 
 From: Fletcher Haynes
 
 [fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 10:31 AM
 To:
 
 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.
 
 Are you using the Radius Server Overwrite Interface option that is
 in the AAA section for each WLAN?
 
 I think option 2 is unlikely, heh

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Fabrice DURAND]

Hello,

controller_ip is the parameter you are looking for.
Just set it in your switch configuration and packetfence will use it
instead of the radius source ip.

Regards
Fabrice



Le 2014-12-15 11:28, forums a écrit :
 I have the same thing... lots of buildings with the same SSIDs but I 
 drop them into different vlans based on the ip for the request.  I was 
 looking through the code.. (dangerous, I know...) and was thinking that 
 as I only have the one controller, hopefully I could just force it to 
 use the mgmt ip of the controller during deauth instead of the ip that 
 is used for the request that matches the ip in the Packetfence switches 
 config file.

 I am looking around the /usr/local/pf/lib/pf/Switch/Cisco/ files.  If 
 somebody has a hint on where this might be accomplished, I would 
 appreciate it.

 thanks
 Sean


 On 2014-12-11 13:15, Fletcher Haynes wrote:
 Ah! I bet you have the same SSID across campus? I assign VLANs based
 on that, since we have different SSIDs across campus.

 And sure, send me an e-mail offlist, I'm happy to do a teamviewer
 session.

 On Thu, Dec 11, 2014 at 11:10 AM, Sallee, Jake jake.sal...@umhb.edu
 wrote:

 Apologies if this is obvious ...
 No apologies necessary, I appreciate the dialogue.

 We have been told we have a complicated network, so it can be
 difficult to explain in brief.  A misunderstanding is most likely a
 failure on my part to adequately explain the situation.

 I have one WiSM2 that serves all of them, with its mgmt interface
 on a different VLAN/subnet from the buildings.

 How do you assign the correct VLans to the user?  I would love to
 do a teamviewer session sometime and let you look at our config. 
 Maybe the way your are doing it is the way I should be.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]
 Phax: 254-295-4221 [3]
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 12:17 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.

 Well, maybe I am not understanding something about your setup...we
 are also a college campus, and we have various subnets and VLANs for
 collections of buildings. I have one WiSM2 that serves all of them,
 with its mgmt interface on a different VLAN/subnet from the
 buildings. I do not use the Radius Server Overwrite Interface in
 AAA. Deauth works fine with this architecture.

 So I guess my question is, what is the reason for using the
 interface overwrite? Apologies if this is obvious from your prior
 messages, I might just be missing something...

 On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you doing that because you don't route between your building
 subnets?

 No, we do route between subnets.  We decided to segment the
 network like that to minimize our broadcast domains.  Being a
 college campus I have a lot of random, strange, and crappy equipment
 that hits my network every day.  With this style of network I gain
 a lot of flexibility over access as well as mitigating broadcast
 storms.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221 [3]
 
 From: Fletcher Haynes
 [fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 11:14 AM
 To:

 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.

 Ah. Are you doing that because you don't route between your
 building subnets?

 On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake

 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
 Are you using the Radius Server Overwrite Interface option that
 is in the AAA section for each WLAN?

 Yes, I wish it were that easy :(

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]tel:254-295-4658 [2]tel:254-295-4658
 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221
 [3]tel:254-295-4221tel:254-295-4221
 
 From: Fletcher Haynes

 [fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 10:31 AM
 To:

 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject

Re: [PacketFence-users] Cisco WLC users, a question for you.

[forums]

Thank you Fabrice!  so many other options, I completely kept scrolling 
past that one.
Added and my initial testing is passing without any issues.

Thanks again!

Sean

On 2014-12-15 10:35, Fabrice DURAND wrote:
 Hello,
 
 controller_ip is the parameter you are looking for.
 Just set it in your switch configuration and packetfence will use it
 instead of the radius source ip.
 
 Regards
 Fabrice
 
 
 
 Le 2014-12-15 11:28, forums a écrit :
 I have the same thing... lots of buildings with the same SSIDs but I
 drop them into different vlans based on the ip for the request.  I was
 looking through the code.. (dangerous, I know...) and was thinking 
 that
 as I only have the one controller, hopefully I could just force it to
 use the mgmt ip of the controller during deauth instead of the ip that
 is used for the request that matches the ip in the Packetfence 
 switches
 config file.
 
 I am looking around the /usr/local/pf/lib/pf/Switch/Cisco/ files.  If
 somebody has a hint on where this might be accomplished, I would
 appreciate it.
 
 thanks
 Sean
 
 
 On 2014-12-11 13:15, Fletcher Haynes wrote:
 Ah! I bet you have the same SSID across campus? I assign VLANs based
 on that, since we have different SSIDs across campus.
 
 And sure, send me an e-mail offlist, I'm happy to do a teamviewer
 session.
 
 On Thu, Dec 11, 2014 at 11:10 AM, Sallee, Jake jake.sal...@umhb.edu
 wrote:
 
 Apologies if this is obvious ...
 No apologies necessary, I appreciate the dialogue.
 
 We have been told we have a complicated network, so it can be
 difficult to explain in brief.  A misunderstanding is most likely a
 failure on my part to adequately explain the situation.
 
 I have one WiSM2 that serves all of them, with its mgmt interface
 on a different VLAN/subnet from the buildings.
 
 How do you assign the correct VLans to the user?  I would love to
 do a teamviewer session sometime and let you look at our config.
 Maybe the way your are doing it is the way I should be.
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658 [2]
 Phax: 254-295-4221 [3]
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 12:17 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.
 
 Well, maybe I am not understanding something about your setup...we
 are also a college campus, and we have various subnets and VLANs for
 collections of buildings. I have one WiSM2 that serves all of them,
 with its mgmt interface on a different VLAN/subnet from the
 buildings. I do not use the Radius Server Overwrite Interface in
 AAA. Deauth works fine with this architecture.
 
 So I guess my question is, what is the reason for using the
 interface overwrite? Apologies if this is obvious from your prior
 messages, I might just be missing something...
 
 On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you doing that because you don't route between your building
 subnets?
 
 No, we do route between subnets.  We decided to segment the
 network like that to minimize our broadcast domains.  Being a
 college campus I have a lot of random, strange, and crappy equipment
 that hits my network every day.  With this style of network I gain
 a lot of flexibility over access as well as mitigating broadcast
 storms.
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221 [3]
 
 From: Fletcher Haynes
 [fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 11:14 AM
 To:
 
 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.
 
 Ah. Are you doing that because you don't route between your
 building subnets?
 
 On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake
 
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
 Are you using the Radius Server Overwrite Interface option that
 is in the AAA section for each WLAN?
 
 Yes, I wish it were that easy :(
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658 [2]tel:254-295-4658 [2]tel:254-295-4658
 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221
 [3]tel:254-295-4221tel:254-295-4221
 
 From: Fletcher Haynes
 
 [fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Sallee, Jake]

Fabrice:

controller_ip is the parameter you are looking for.

Can you expand a bit on that?  Are you saying that if I put:

controller_ip = ip of my WLC 

in my switches.conf in the switch declaration it will send all my de-auth to 
that IP and NOT the IP we have set for the switch? Because, that would be 
awesome.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Fabrice DURAND [fdur...@inverse.ca]
Sent: Monday, December 15, 2014 10:35 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Hello,

controller_ip is the parameter you are looking for.
Just set it in your switch configuration and packetfence will use it
instead of the radius source ip.

Regards
Fabrice



Le 2014-12-15 11:28, forums a écrit :
 I have the same thing... lots of buildings with the same SSIDs but I
 drop them into different vlans based on the ip for the request.  I was
 looking through the code.. (dangerous, I know...) and was thinking that
 as I only have the one controller, hopefully I could just force it to
 use the mgmt ip of the controller during deauth instead of the ip that
 is used for the request that matches the ip in the Packetfence switches
 config file.

 I am looking around the /usr/local/pf/lib/pf/Switch/Cisco/ files.  If
 somebody has a hint on where this might be accomplished, I would
 appreciate it.

 thanks
 Sean


 On 2014-12-11 13:15, Fletcher Haynes wrote:
 Ah! I bet you have the same SSID across campus? I assign VLANs based
 on that, since we have different SSIDs across campus.

 And sure, send me an e-mail offlist, I'm happy to do a teamviewer
 session.

 On Thu, Dec 11, 2014 at 11:10 AM, Sallee, Jake jake.sal...@umhb.edu
 wrote:

 Apologies if this is obvious ...
 No apologies necessary, I appreciate the dialogue.

 We have been told we have a complicated network, so it can be
 difficult to explain in brief.  A misunderstanding is most likely a
 failure on my part to adequately explain the situation.

 I have one WiSM2 that serves all of them, with its mgmt interface
 on a different VLAN/subnet from the buildings.

 How do you assign the correct VLans to the user?  I would love to
 do a teamviewer session sometime and let you look at our config.
 Maybe the way your are doing it is the way I should be.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]
 Phax: 254-295-4221 [3]
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 12:17 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.

 Well, maybe I am not understanding something about your setup...we
 are also a college campus, and we have various subnets and VLANs for
 collections of buildings. I have one WiSM2 that serves all of them,
 with its mgmt interface on a different VLAN/subnet from the
 buildings. I do not use the Radius Server Overwrite Interface in
 AAA. Deauth works fine with this architecture.

 So I guess my question is, what is the reason for using the
 interface overwrite? Apologies if this is obvious from your prior
 messages, I might just be missing something...

 On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you doing that because you don't route between your building
 subnets?

 No, we do route between subnets.  We decided to segment the
 network like that to minimize our broadcast domains.  Being a
 college campus I have a lot of random, strange, and crappy equipment
 that hits my network every day.  With this style of network I gain
 a lot of flexibility over access as well as mitigating broadcast
 storms.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU [1]http://WWW.UMHB.EDU [1]

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658 [2]tel:254-295-4658 [2]
 Phax: 254-295-4221 [3]tel:254-295-4221 [3]
 
 From: Fletcher Haynes
 [fhay...@willamette.edumailto:fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 11:14 AM
 To:

 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for
 you.

 Ah. Are you doing that because you don't route between your
 building subnets?

 On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake

 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
 Are you using the Radius Server Overwrite Interface option that
 is in the AAA section for each WLAN?

 Yes, I wish it were that easy :(

 Jake Sallee
 Godfather of Bandwidth

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Fletcher Haynes]

Are you using the Radius Server Overwrite Interface option that is in the
AAA section for each WLAN?

I think option 2 is unlikely, heh. At least not in a timely manner.

On Thu, Dec 11, 2014 at 8:13 AM, Sallee, Jake jake.sal...@umhb.edu wrote:

 My fellow PacketFence users:

 Good day! I know few of you are running PF in conjunction with Cisco WLC
 boxen.  I am running into an issue and I would like to know if anyone else
 can replicate it.

 Background info:

 I run a highly segmented network, I have ~50 buildings and each has its
 own class B netowrk space with its own set of Vlans.  However I am not made
 of monies and therefore have only a single WLC (well 2 really, but that's
 not important now).  Suffice it to say that the network is configured such
 that Vlan 111 which exists in building 11 will not work in building 12
 where the equipment there does not know about it.

 We have configured our WLC to use a unique WLAN ID for each of the
 buildings on campus, each of these WLANs is attached to an interface that
 has an IP and VLan membership that is appropriate for the building it is
 serving.

 Our WLC is running the latest code release.

 End background info.

 The problem:

 When PF sends the De-Auth command (SNMP or RADIUS both as far as we can
 tell) the WLC is discarding the request because it is not coming in on the
 management interface of the WLC, but rather the interface that is
 associated with the WLAN on the WLC.

 Example:

 The WLC has a management IP of 10.2.1.XX
 WLAN 17 has an assigned IP of 10.17.XX.XX

 When PF sends the de-auth packet it is sending it to 10.17.XX.XX because
 that is the IP the authentication and authorizations are coming from for
 the client.  However the WLC DROPS the packet since it is not coming to
 10.2.1.XX which is the management IP of the WLC.

 Has anyone else seen this kind of behaviour with their WLC?  Can anyone
 else reproduce it?

 I have spoken to Cisco TAC and their response was that it should work, but
 then they said no.

 As it stands it looks as if I have 2 options. 1) Do some custom
 development on PF to send the de-auth packets to the management IP of the
 WLC or 2) Get Cisco to make the WLC accept and act on the packets.

 Which do you think is more likely?

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221


 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE

 http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Sallee, Jake]

 Are you using the Radius Server Overwrite Interface option that is in the AAA 
 section for each WLAN?

Yes, I wish it were that easy :(

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Fletcher Haynes [fhay...@willamette.edu]
Sent: Thursday, December 11, 2014 10:31 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Are you using the Radius Server Overwrite Interface option that is in the AAA 
section for each WLAN?

I think option 2 is unlikely, heh. At least not in a timely manner.

On Thu, Dec 11, 2014 at 8:13 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
My fellow PacketFence users:

Good day! I know few of you are running PF in conjunction with Cisco WLC boxen. 
 I am running into an issue and I would like to know if anyone else can 
replicate it.

Background info:

I run a highly segmented network, I have ~50 buildings and each has its own 
class B netowrk space with its own set of Vlans.  However I am not made of 
monies and therefore have only a single WLC (well 2 really, but that's not 
important now).  Suffice it to say that the network is configured such that 
Vlan 111 which exists in building 11 will not work in building 12 where the 
equipment there does not know about it.

We have configured our WLC to use a unique WLAN ID for each of the buildings on 
campus, each of these WLANs is attached to an interface that has an IP and VLan 
membership that is appropriate for the building it is serving.

Our WLC is running the latest code release.

End background info.

The problem:

When PF sends the De-Auth command (SNMP or RADIUS both as far as we can tell) 
the WLC is discarding the request because it is not coming in on the management 
interface of the WLC, but rather the interface that is associated with the WLAN 
on the WLC.

Example:

The WLC has a management IP of 10.2.1.XX
WLAN 17 has an assigned IP of 10.17.XX.XX

When PF sends the de-auth packet it is sending it to 10.17.XX.XX because that 
is the IP the authentication and authorizations are coming from for the client. 
 However the WLC DROPS the packet since it is not coming to 10.2.1.XX which is 
the management IP of the WLC.

Has anyone else seen this kind of behaviour with their WLC?  Can anyone else 
reproduce it?

I have spoken to Cisco TAC and their response was that it should work, but then 
they said no.

As it stands it looks as if I have 2 options. 1) Do some custom development on 
PF to send the de-auth packets to the management IP of the WLC or 2) Get Cisco 
to make the WLC accept and act on the packets.

Which do you think is more likely?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDUhttp://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658tel:254-295-4658
Phax: 254-295-4221tel:254-295-4221

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fletcher Haynes fhay...@willamette.edumailto:fhay...@willamette.edu
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Fletcher Haynes]

Ah. Are you doing that because you don't route between your building
subnets?

On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake jake.sal...@umhb.edu wrote:

  Are you using the Radius Server Overwrite Interface option that is in
 the AAA section for each WLAN?

 Yes, I wish it were that easy :(

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 10:31 AM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

 Are you using the Radius Server Overwrite Interface option that is in the
 AAA section for each WLAN?

 I think option 2 is unlikely, heh. At least not in a timely manner.

 On Thu, Dec 11, 2014 at 8:13 AM, Sallee, Jake jake.sal...@umhb.edu
 mailto:jake.sal...@umhb.edu wrote:
 My fellow PacketFence users:

 Good day! I know few of you are running PF in conjunction with Cisco WLC
 boxen.  I am running into an issue and I would like to know if anyone else
 can replicate it.

 Background info:

 I run a highly segmented network, I have ~50 buildings and each has its
 own class B netowrk space with its own set of Vlans.  However I am not made
 of monies and therefore have only a single WLC (well 2 really, but that's
 not important now).  Suffice it to say that the network is configured such
 that Vlan 111 which exists in building 11 will not work in building 12
 where the equipment there does not know about it.

 We have configured our WLC to use a unique WLAN ID for each of the
 buildings on campus, each of these WLANs is attached to an interface that
 has an IP and VLan membership that is appropriate for the building it is
 serving.

 Our WLC is running the latest code release.

 End background info.

 The problem:

 When PF sends the De-Auth command (SNMP or RADIUS both as far as we can
 tell) the WLC is discarding the request because it is not coming in on the
 management interface of the WLC, but rather the interface that is
 associated with the WLAN on the WLC.

 Example:

 The WLC has a management IP of 10.2.1.XX
 WLAN 17 has an assigned IP of 10.17.XX.XX

 When PF sends the de-auth packet it is sending it to 10.17.XX.XX because
 that is the IP the authentication and authorizations are coming from for
 the client.  However the WLC DROPS the packet since it is not coming to
 10.2.1.XX which is the management IP of the WLC.

 Has anyone else seen this kind of behaviour with their WLC?  Can anyone
 else reproduce it?

 I have spoken to Cisco TAC and their response was that it should work, but
 then they said no.

 As it stands it looks as if I have 2 options. 1) Do some custom
 development on PF to send the de-auth packets to the management IP of the
 WLC or 2) Get Cisco to make the WLC accept and act on the packets.

 Which do you think is more likely?

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDUhttp://WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658tel:254-295-4658
 Phax: 254-295-4221tel:254-295-4221


 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE

 http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.netmailto:
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users



 --
 Fletcher Haynes fhay...@willamette.edumailto:fhay...@willamette.edu
 Systems Administrator/Network Services Consultant
 Willamette Integrated Technology Services
 Willamette University, Salem, OR
 Phone: 503.370.6016


 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  more
 Get technology previously reserved for billion-dollar corporations, FREE

 http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Sallee, Jake]

 Are you doing that because you don't route between your building subnets?

No, we do route between subnets.  We decided to segment the network like that 
to minimize our broadcast domains.  Being a college campus I have a lot of 
random, strange, and crappy equipment that hits my network every day.  With 
this style of network I gain a lot of flexibility over access as well as 
mitigating broadcast storms.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Fletcher Haynes [fhay...@willamette.edu]
Sent: Thursday, December 11, 2014 11:14 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Ah. Are you doing that because you don't route between your building subnets?

On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you using the Radius Server Overwrite Interface option that is in the AAA 
 section for each WLAN?

Yes, I wish it were that easy :(

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDUhttp://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658tel:254-295-4658
Phax: 254-295-4221tel:254-295-4221

From: Fletcher Haynes [fhay...@willamette.edumailto:fhay...@willamette.edu]
Sent: Thursday, December 11, 2014 10:31 AM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Are you using the Radius Server Overwrite Interface option that is in the AAA 
section for each WLAN?

I think option 2 is unlikely, heh. At least not in a timely manner.

On Thu, Dec 11, 2014 at 8:13 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
My fellow PacketFence users:

Good day! I know few of you are running PF in conjunction with Cisco WLC boxen. 
 I am running into an issue and I would like to know if anyone else can 
replicate it.

Background info:

I run a highly segmented network, I have ~50 buildings and each has its own 
class B network space with its own set of Vlans.  However I am not made of 
monies and therefore have only a single WLC (well 2 really, but that's not 
important now).  Suffice it to say that the network is configured such that 
Vlan 111 which exists in building 11 will not work in building 12 where the 
equipment there does not know about it.

We have configured our WLC to use a unique WLAN ID for each of the buildings on 
campus, each of these WLANs is attached to an interface that has an IP and VLan 
membership that is appropriate for the building it is serving.

Our WLC is running the latest code release.

End background info.

The problem:

When PF sends the De-Auth command (SNMP or RADIUS both as far as we can tell) 
the WLC is discarding the request because it is not coming in on the management 
interface of the WLC, but rather the interface that is associated with the WLAN 
on the WLC.

Example:

The WLC has a management IP of 10.2.1.XX
WLAN 17 has an assigned IP of 10.17.XX.XX

When PF sends the de-auth packet it is sending it to 10.17.XX.XX because that 
is the IP the authentication and authorizations are coming from for the client. 
 However the WLC DROPS the packet since it is not coming to 10.2.1.XX which is 
the management IP of the WLC.

Has anyone else seen this kind of behaviour with their WLC?  Can anyone else 
reproduce it?

I have spoken to Cisco TAC and their response was that it should work, but then 
they said no.

As it stands it looks as if I have 2 options. 1) Do some custom development on 
PF to send the de-auth packets to the management IP of the WLC or 2) Get Cisco 
to make the WLC accept and act on the packets.

Which do you think is more likely?

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDUhttp://WWW.UMHB.EDUhttp://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658tel:254-295-4658tel:254-295-4658tel:254-295-4658
Phax: 254-295-4221tel:254-295-4221tel:254-295-4221tel:254-295-4221

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.netmailto:PacketFence-users

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Sallee, Jake]

 Apologies if this is obvious ...

No apologies necessary, I appreciate the dialogue.

We have been told we have a complicated network, so it can be difficult to 
explain in brief.  A misunderstanding is most likely a failure on my part to 
adequately explain the situation.


 I have one WiSM2 that serves all of them, with its mgmt interface on a 
 different VLAN/subnet from the buildings.

How do you assign the correct VLans to the user?  I would love to do a 
teamviewer session sometime and let you look at our config.  Maybe the way your 
are doing it is the way I should be.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Fletcher Haynes [fhay...@willamette.edu]
Sent: Thursday, December 11, 2014 12:17 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Well, maybe I am not understanding something about your setup...we are also a 
college campus, and we have various subnets and VLANs for collections of 
buildings. I have one WiSM2 that serves all of them, with its mgmt interface on 
a different VLAN/subnet from the buildings. I do not use the Radius Server 
Overwrite Interface in AAA. Deauth works fine with this architecture.

So I guess my question is, what is the reason for using the interface 
overwrite? Apologies if this is obvious from your prior messages, I might just 
be missing something...

On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 Are you doing that because you don't route between your building subnets?

No, we do route between subnets.  We decided to segment the network like that 
to minimize our broadcast domains.  Being a college campus I have a lot of 
random, strange, and crappy equipment that hits my network every day.  With 
this style of network I gain a lot of flexibility over access as well as 
mitigating broadcast storms.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDUhttp://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658tel:254-295-4658
Phax: 254-295-4221tel:254-295-4221

From: Fletcher Haynes [fhay...@willamette.edumailto:fhay...@willamette.edu]
Sent: Thursday, December 11, 2014 11:14 AM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Ah. Are you doing that because you don't route between your building subnets?

On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
 Are you using the Radius Server Overwrite Interface option that is in the AAA 
 section for each WLAN?

Yes, I wish it were that easy :(

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDUhttp://WWW.UMHB.EDUhttp://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658tel:254-295-4658tel:254-295-4658tel:254-295-4658
Phax: 254-295-4221tel:254-295-4221tel:254-295-4221tel:254-295-4221

From: Fletcher Haynes 
[fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edumailto:fhay...@willamette.edu]
Sent: Thursday, December 11, 2014 10:31 AM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

Are you using the Radius Server Overwrite Interface option that is in the AAA 
section for each WLAN?

I think option 2 is unlikely, heh. At least not in a timely manner.

On Thu, Dec 11, 2014 at 8:13 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
My fellow PacketFence users:

Good day! I know few of you are running PF in conjunction with Cisco WLC boxen. 
 I am running into an issue and I would like to know if anyone else can 
replicate it.

Background info:

I run a highly segmented network, I have ~50 buildings and each has its own 
class B network space with its own set of Vlans.  However I am not made of 
monies and therefore have only a single WLC (well 2 really, but that's not 
important now).  Suffice it to say that the network is configured such that 
Vlan 111 which exists in building 11 will not work in building 12 where the 
equipment there does not know about it.

We have configured our WLC to use a unique WLAN ID for each of the buildings on 
campus, each of these WLANs is attached to an interface that has an IP and VLan

Re: [PacketFence-users] Cisco WLC users, a question for you.

[Fletcher Haynes]

Ah! I bet you have the same SSID across campus? I assign VLANs based on
that, since we have different SSIDs across campus.

And sure, send me an e-mail offlist, I'm happy to do a teamviewer session.

On Thu, Dec 11, 2014 at 11:10 AM, Sallee, Jake jake.sal...@umhb.edu wrote:

  Apologies if this is obvious ...

 No apologies necessary, I appreciate the dialogue.

 We have been told we have a complicated network, so it can be difficult to
 explain in brief.  A misunderstanding is most likely a failure on my part
 to adequately explain the situation.


  I have one WiSM2 that serves all of them, with its mgmt interface on a
 different VLAN/subnet from the buildings.

 How do you assign the correct VLans to the user?  I would love to do a
 teamviewer session sometime and let you look at our config.  Maybe the way
 your are doing it is the way I should be.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Fletcher Haynes [fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 12:17 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

 Well, maybe I am not understanding something about your setup...we are
 also a college campus, and we have various subnets and VLANs for
 collections of buildings. I have one WiSM2 that serves all of them, with
 its mgmt interface on a different VLAN/subnet from the buildings. I do not
 use the Radius Server Overwrite Interface in AAA. Deauth works fine with
 this architecture.

 So I guess my question is, what is the reason for using the interface
 overwrite? Apologies if this is obvious from your prior messages, I might
 just be missing something...

 On Thu, Dec 11, 2014 at 10:10 AM, Sallee, Jake jake.sal...@umhb.edu
 mailto:jake.sal...@umhb.edu wrote:
  Are you doing that because you don't route between your building subnets?

 No, we do route between subnets.  We decided to segment the network like
 that to minimize our broadcast domains.  Being a college campus I have a
 lot of random, strange, and crappy equipment that hits my network every
 day.  With this style of network I gain a lot of flexibility over access as
 well as mitigating broadcast storms.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDUhttp://WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658tel:254-295-4658
 Phax: 254-295-4221tel:254-295-4221
 
 From: Fletcher Haynes [fhay...@willamette.edumailto:
 fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 11:14 AM
 To: packetfence-users@lists.sourceforge.netmailto:
 packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

 Ah. Are you doing that because you don't route between your building
 subnets?

 On Thu, Dec 11, 2014 at 9:08 AM, Sallee, Jake jake.sal...@umhb.edu
 mailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:
 jake.sal...@umhb.edu wrote:
  Are you using the Radius Server Overwrite Interface option that is in
 the AAA section for each WLAN?

 Yes, I wish it were that easy :(

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDUhttp://WWW.UMHB.EDUhttp://WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658tel:254-295-4658tel:254-295-4658tel:254-295-4658
 Phax: 254-295-4221tel:254-295-4221tel:254-295-4221tel:254-295-4221
 
 From: Fletcher Haynes [fhay...@willamette.edumailto:
 fhay...@willamette.edumailto:fhay...@willamette.edumailto:
 fhay...@willamette.edu]
 Sent: Thursday, December 11, 2014 10:31 AM
 To: packetfence-users@lists.sourceforge.netmailto:
 packetfence-users@lists.sourceforge.netmailto:
 packetfence-users@lists.sourceforge.netmailto:
 packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC users, a question for you.

 Are you using the Radius Server Overwrite Interface option that is in the
 AAA section for each WLAN?

 I think option 2 is unlikely, heh. At least not in a timely manner.

 On Thu, Dec 11, 2014 at 8:13 AM, Sallee, Jake jake.sal...@umhb.edu
 mailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:
 jake.sal...@umhb.edu wrote:
 My fellow PacketFence users:

 Good day! I know few of you are running PF in conjunction with Cisco WLC
 boxen.  I am running into an issue and I would like to know if anyone else
 can replicate it.

 Background info:

 I run a highly segmented network, I have ~50 buildings and each has its
 own class B network space with its own set of Vlans.  However I am not made
 of monies and therefore have only a single WLC (well 2 really, but that's

Re: [PacketFence-users] Cisco WLC same SSID different vlans

[forums]

I found it...

under WLANs  Edit  Security  AAA Servers Radius Server Overwrite 
interface and check it enabled.  Set the interface Priority to WLAN and 
then apply.

The radius request then comes from the ip of the wlan you specify on the 
general tab for Interface.

Note - If you are using access-lists on the CPU, they will need to be 
updated.

This is a lot easier then what I had initially envisioned!

Thanks Jake for the nudge in the right direction!

Sean

On 2014-12-03 16:11, forums wrote:
 Thanks Jake,
 
 I have an interface setup on vlan 20 for the access-points for a test.
 the wlan with the duplicated SSID is using 121.  I have applied it to
 it's own AP group for that building.  The packetfence is seeing the
 source still as the mgmt of the controller.  I have been through the
 interface and wlan screens but must be missing the make the request
 using the mgmt ip address check box.
 
 Thanks
 Sean
 
 On 2014-12-03 12:12, Sallee, Jake wrote:
 Yo! Jake here.  Sorry it has taken me a bit to get back with you, its
 a bit crazy for me right now.
 
 We have attempted to solve the same SSID + different VLan issue in two
 ways.  The first way involved some custom code and a custom DB table.
 Basically the way it worked was when a user authenticated on one of
 our Cisco LWAPPs the APs MAC would be found in the table and the
 associated VLan prefix would be appended to the VLan return value.
 
 This worked well for a while but it proved to be a bit of a pain
 through upgrades since if the files I had customized (technically
 Inverse did most of the customizations, I just touched it up a bit due
 to changes through multiple upgrades) needed to be inspected and
 verified to work properly after a PF upgrade.
 
 The last upgrade I did, I botched pretty badly (I thought I was on the
 dev box ... turns out I was not ... oops) the net effect of which was
 I setup PF from scratch and imported the DB with all of my nodes, APs,
 etc from a backup ... but that also meant that I had to put back my
 customizations that made upgrades difficult. So I started looking for
 another way, and I found the way we are currently doing it now.
 
 A strange quirk of the WLC is that you cannot have SSIDs with the same
 name. It was at this point I was stumped since I am not allowed to
 change the name of our SSID.  But then I found a very poorly
 documented feature of the WLC.
 
 You CAN have duplicate SSIDs so long as the WLAN ID is at least 18,
 after that you can duplicate SSID names as much as you like.
 
 WHAT?!, I hear you say.
 
 Yes, indeed!, I say.
 
 But why 18? That seems arbitrary and foolish. You respond.
 
 Yes, yes it does. I sigh.
 
 So, currently our setup is this.  A single SSID per building that is
 attached to the interface group for that building.  The WLC has an IP
 in the management VLan for the interface group so when it talks to PF
 it will use that IP.  All thats left is to add the necessary IPs to PF
 as independent switches and viola! it works with no custom code
 required and it is upgrade safe, YAY!
 
 I can explain more fully if needed but this is the best way we have
 found yet.  If anyone else out there has a better way I would be very
 interested in learning about it.
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658
 Phax: 254-295-4221
 
 
 From: forums [for...@stepanek.net]
 Sent: Wednesday, December 03, 2014 11:12 AM
 To: packetfence-users@lists.sourceforge.net
 Subject: [PacketFence-users] Cisco WLC same SSID different vlans
 
 I see that Jake back in 2012 had a thread New Cisco WLC module? and
 it
 is the same issue I am running into.  I need to offer the same SSID
 across the facility but need to use different vlans depending on which
 building the user is in.
 
 The WLC is running 7.6.130.0.  Under authentication I can have the 
 Auth
 Call Station ID type be the Ethernet mac of the AP, AP Name, AP Group,
 AP Location, etc.  I can see the proper AP Ethernet mac address when I
 watch the pf.log.
 
 I was looking at using the AP Ethernet mac address, but AP location
 would be better as it would involve a smaller database.  I am looking
 at
 custom.pm but am not seeing a variable for the switch_mac that I could
 use.
 
 Am I overlooking something?  Has somebody else done this since 2012?
 
 Thanks
 Sean
 
 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and
 Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration 
 more
 Get technology previously reserved for billion-dollar corporations,
 FREE
 http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 

Re: [PacketFence-users] Cisco WLC same SSID different vlans

[Håvard Birkeland]

Hi. 

It's actually from 17 and up, not 18. First 16 SSIDs/WLAN IDs are forced into 
the default ap-group, and you can't have duplicate SSIDs there. So a good 
practice is to always use WLAN ID above 17. 

Regards,
Håvard


Sent from my Samsung device


 Original message 
From: Sallee, Jake jake.sal...@umhb.edu 
Date: 03/12/2014  19:12  (GMT+01:00) 
To: packetfence-users@lists.sourceforge.net 
Subject: Re: [PacketFence-users] Cisco WLC same SSID different vlans 

Yo! Jake here.  Sorry it has taken me a bit to get back with you, its a bit 
crazy for me right now.

We have attempted to solve the same SSID + different VLan issue in two ways.  
The first way involved some custom code and a custom DB table.  Basically the 
way it worked was when a user authenticated on one of our Cisco LWAPPs the APs 
MAC would be found in the table and the associated VLan prefix would be 
appended to the VLan return value.

This worked well for a while but it proved to be a bit of a pain through 
upgrades since if the files I had customized (technically Inverse did most of 
the customizations, I just touched it up a bit due to changes through multiple 
upgrades) needed to be inspected and verified to work properly after a PF 
upgrade.

The last upgrade I did, I botched pretty badly (I thought I was on the dev box 
... turns out I was not ... oops) the net effect of which was I setup PF from 
scratch and imported the DB with all of my nodes, APs, etc from a backup ... 
but that also meant that I had to put back my customizations that made upgrades 
difficult. So I started looking for another way, and I found the way we are 
currently doing it now.

A strange quirk of the WLC is that you cannot have SSIDs with the same name. It 
was at this point I was stumped since I am not allowed to change the name of 
our SSID.  But then I found a very poorly documented feature of the WLC.  

You CAN have duplicate SSIDs so long as the WLAN ID is at least 18, after that 
you can duplicate SSID names as much as you like.

WHAT?!, I hear you say.  

Yes, indeed!, I say.

But why 18? That seems arbitrary and foolish. You respond.

Yes, yes it does. I sigh.

So, currently our setup is this.  A single SSID per building that is attached 
to the interface group for that building.  The WLC has an IP in the management 
VLan for the interface group so when it talks to PF it will use that IP.  All 
thats left is to add the necessary IPs to PF as independent switches and viola! 
it works with no custom code required and it is upgrade safe, YAY!

I can explain more fully if needed but this is the best way we have found yet.  
If anyone else out there has a better way I would be very interested in 
learning about it.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: forums [for...@stepanek.net]
Sent: Wednesday, December 03, 2014 11:12 AM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Cisco WLC same SSID different vlans

I see that Jake back in 2012 had a thread New Cisco WLC module? and it
is the same issue I am running into.  I need to offer the same SSID
across the facility but need to use different vlans depending on which
building the user is in.

The WLC is running 7.6.130.0.  Under authentication I can have the Auth
Call Station ID type be the Ethernet mac of the AP, AP Name, AP Group,
AP Location, etc.  I can see the proper AP Ethernet mac address when I
watch the pf.log.

I was looking at using the AP Ethernet mac address, but AP location
would be better as it would involve a smaller database.  I am looking at
custom.pm but am not seeing a variable for the switch_mac that I could
use.

Am I overlooking something?  Has somebody else done this since 2012?

Thanks
Sean

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration  more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk

Re: [PacketFence-users] Cisco WLC same SSID different vlans

[forums]

Thanks Jake,

I have an interface setup on vlan 20 for the access-points for a test.
the wlan with the duplicated SSID is using 121.  I have applied it to 
it's own AP group for that building.  The packetfence is seeing the 
source still as the mgmt of the controller.  I have been through the 
interface and wlan screens but must be missing the make the request 
using the mgmt ip address check box.

Thanks
Sean

On 2014-12-03 12:12, Sallee, Jake wrote:
 Yo! Jake here.  Sorry it has taken me a bit to get back with you, its
 a bit crazy for me right now.
 
 We have attempted to solve the same SSID + different VLan issue in two
 ways.  The first way involved some custom code and a custom DB table.
 Basically the way it worked was when a user authenticated on one of
 our Cisco LWAPPs the APs MAC would be found in the table and the
 associated VLan prefix would be appended to the VLan return value.
 
 This worked well for a while but it proved to be a bit of a pain
 through upgrades since if the files I had customized (technically
 Inverse did most of the customizations, I just touched it up a bit due
 to changes through multiple upgrades) needed to be inspected and
 verified to work properly after a PF upgrade.
 
 The last upgrade I did, I botched pretty badly (I thought I was on the
 dev box ... turns out I was not ... oops) the net effect of which was
 I setup PF from scratch and imported the DB with all of my nodes, APs,
 etc from a backup ... but that also meant that I had to put back my
 customizations that made upgrades difficult. So I started looking for
 another way, and I found the way we are currently doing it now.
 
 A strange quirk of the WLC is that you cannot have SSIDs with the same
 name. It was at this point I was stumped since I am not allowed to
 change the name of our SSID.  But then I found a very poorly
 documented feature of the WLC.
 
 You CAN have duplicate SSIDs so long as the WLAN ID is at least 18,
 after that you can duplicate SSID names as much as you like.
 
 WHAT?!, I hear you say.
 
 Yes, indeed!, I say.
 
 But why 18? That seems arbitrary and foolish. You respond.
 
 Yes, yes it does. I sigh.
 
 So, currently our setup is this.  A single SSID per building that is
 attached to the interface group for that building.  The WLC has an IP
 in the management VLan for the interface group so when it talks to PF
 it will use that IP.  All thats left is to add the necessary IPs to PF
 as independent switches and viola! it works with no custom code
 required and it is upgrade safe, YAY!
 
 I can explain more fully if needed but this is the best way we have
 found yet.  If anyone else out there has a better way I would be very
 interested in learning about it.
 
 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU
 
 900 College St.
 Belton, Texas
 76513
 
 Fone: 254-295-4658
 Phax: 254-295-4221
 
 
 From: forums [for...@stepanek.net]
 Sent: Wednesday, December 03, 2014 11:12 AM
 To: packetfence-users@lists.sourceforge.net
 Subject: [PacketFence-users] Cisco WLC same SSID different vlans
 
 I see that Jake back in 2012 had a thread New Cisco WLC module? and 
 it
 is the same issue I am running into.  I need to offer the same SSID
 across the facility but need to use different vlans depending on which
 building the user is in.
 
 The WLC is running 7.6.130.0.  Under authentication I can have the Auth
 Call Station ID type be the Ethernet mac of the AP, AP Name, AP Group,
 AP Location, etc.  I can see the proper AP Ethernet mac address when I
 watch the pf.log.
 
 I was looking at using the AP Ethernet mac address, but AP location
 would be better as it would involve a smaller database.  I am looking 
 at
 custom.pm but am not seeing a variable for the switch_mac that I could
 use.
 
 Am I overlooking something?  Has somebody else done this since 2012?
 
 Thanks
 Sean
 
 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and 
 Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  
 more
 Get technology previously reserved for billion-dollar corporations, 
 FREE
 http://pubads.g.doubleclick.net/gampad/clk?id=164703151iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users
 
 --
 Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
 from Actuate! Instantly Supercharge Your Business Reports and 
 Dashboards
 with Interactivity, Sharing, Native Excel Exports, App Integration  
 more
 Get technology previously reserved for billion-dollar corporations, 
 FREE
 

Re: [PacketFence-users] Cisco WLC isssues

[PFSupport]

-Status-Type = Start
Calling-Station-Id = 172.16.50.15
Called-Station-Id = 172.16.32.30
server packetfence {
# Executing section preacct from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+group preacct {
++[preprocess] = ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address = 
172.16.32.30,NAS-IP-Address = 172.16.32.30,Acct-Session-Id = 
53fddedb/00:26:c7:a8:8a:3e/18,User-Name = 0026c7a88a3e'
[acct_unique] Acct-Unique-Session-ID = 5ee02df2a8bdcf4e.
++[acct_unique] = ok
[suffix] No '@' in User-Name = 0026c7a88a3e, looking up realm NULL
[suffix] No such realm NULL
++[suffix] = noop
++[files] = noop
+} # group preacct = ok
# Executing section accounting from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+group accounting {
[sql] expand: %{User-Name} - 0026c7a88a3e
[sql] sql_set_user escaped user -- '0026c7a88a3e'
[sql] expand: %{Acct-Delay-Time} -
[sql] ... expanding second conditional
[sql] expand:CALL acct_start ( '%{Acct-Session-Id}', 
'%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', 
'%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', 
'%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}',
 '', '0', '0', 
REPLACE(REPLACE('%{Called-Station-Id}','-',''),':',''), 
REPLACE(REPLACE('%{Calling-Station-Id}','-',''),':',''), '', 
'%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', 
'%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}', 
'%{Acct-Status-Type}') -CALL acct_start ( 
'53fddedb/00:26:c7:a8:8a:3e/18', '5ee02df2a8bdcf4e', 
'0026c7a88a3e', '', '172.16.32.30', '1', 
'Wireless-802.11', '2014-08-27 09:37:15', NULL, '0', 'RADIUS', '',  
   '', '0', '0', 
REPLACE(REPLACE('172.16.32.30','-',''),':',''), 
REPLACE(REPLACE('172.16.50.15','-',''),':',''), '', '',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] = ok
[attr_filter.accounting_response] expand: %{User-Name} - 0026c7a88a3e
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] = updated
++update control {
++} # update control = noop
rlm_perl: MAC address is empty or invalid in this request. It could be normal 
on certain radius calls
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Acct-Session-Id = 53fddedb/00:26:c7:a8:8a:3e/18
rlm_perl: Added pair Framed-IPv6-Prefix = fe80::/64
rlm_perl: Added pair Acct-Unique-Session-Id = 5ee02df2a8bdcf4e
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Called-Station-Id = 172.16.32.30
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair Acct-Authentic = RADIUS
rlm_perl: Added pair Acct-Status-Type = Start
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair Tunnel-Private-Group-Id = 3100
rlm_perl: Added pair SQL-User-Name = 0026c7a88a3e
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Calling-Station-Id = 172.16.50.15
rlm_perl: Added pair Cisco-AVPair = audit-session-id=ac10201e002753fddebb
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair Event-Timestamp = Aug 27 2014 09:36:27 EDT
rlm_perl: Added pair Framed-IP-Address = 172.16.50.15
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = ok
+} # group accounting = updated
} # server packetfence
Sending Accounting-Response of id 211 to 172.16.32.30 port 32768
Finished request 2.
Cleaning up request 2 ID 211 with timestamp +354
Going to the next request
Waking up in 1.0 seconds.
Cleaning up request 1 ID 221 with timestamp +350
Ready to process requests.

From: Durand fabrice [fdur...@inverse.ca]
Sent: Tuesday, August 26, 2014 8:04 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC isssues

So what is the answer ?, something different ?

Regards
Fabrice

Le 2014-08-26 15:23, PFSupport a écrit :
I changed to the other auth module and the problem remains, I do not see the 
answer as per your email to when I run a debug.

From: Fabrice DURAND [fdur...@inverse.camailto:fdur...@inverse.ca]
Sent: Tuesday, August 26, 2014 1:47 PM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC isssues

Ok so it look that you use the wrong module for web auth.
Use Cisco Wireless Controller (WLC HTTP).


After you will be able to have this type of answer:

$radius_reply_ref

Re: [PacketFence-users] Cisco WLC isssues

[Lupe Silva]

1) According to the errors, it seems that your database is not running or
you have or there is a mis-configuration.
2) Are you running inline?  if not, it sounds to me like an issue of your
dhcp server setup and the dns server it is sending out.


Lupe Silva



On Mon, Aug 25, 2014 at 1:31 PM, PFSupport pfsupp...@qlogitek.com wrote:

 I am currently running PF 4.3 with a CISCO
 wirless controller 2500 series version 8.0.100.0.

 I have the system setup to use an
 unsecure network for registration and use an ACL to control network
 access. We
 use the PF captive portal to redirect users and register them on the
 network.

 Once my users have registered they are
 continually directed to the captive portal and although they are
 registered and
 have proper access receive the messages “Your network  should be enabled
 ….”.
 I see that the user is logged in assigned the role default and the correct
 VLAN


 When I look at the packet fence log I
 see



  Aug 25 15:19:49 httpd.webservices(1831) WARN:
 database query failed with: Column 'switch' cannot be null (errno: 1048),
 will
 try again (pf::db::db_query_execute)

 Aug 25 15:19:49
 httpd.webservices(1831) WARN: database query failed with: Column 'switch'
 cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

 Aug 25 15:19:49
 httpd.webservices(1831) WARN: database query failed with: Column 'switch'
 cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

 Aug 25 15:19:49
 httpd.webservices(1831) ERROR: Database issue: We tried 3 times to serve
 query
 locationlog_insert_closed_sql called from
 pf::locationlog::locationlog_insert_closed and we failed. Is the database
 running? (pf::db::db_query_execute)

 Aug 25 15:20:17 httpd.webservices(1831)
 WARN: unable to convert connection_type to string. called from pf::api
 pf::locationlog::locationlog_insert_closed
 (pf::util::connection_type_to_str)

 Aug 25 15:20:17
 httpd.webservices(1831) INFO: Asked to insert a locationlog entry with
 connection
 type unknown. (pf::locationlog::locationlog_insert_closed)

 Aug 25 15:20:17
 httpd.webservices(1831) WARN: database query failed with: Column 'switch'
 cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

 Aug 25 15:20:17 httpd.webservices(1831)
 WARN: database query failed with: Column 'switch' cannot be null (errno:
 1048),
 will try again (pf::db::db_query_execute)

 Aug 25 15:20:17
 httpd.webservices(1831) WARN: database query failed with: Column 'switch'
 cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

 Aug 25 15:20:17
 httpd.webservices(1831) ERROR: Database issue: We tried 3 times to serve
 query
 locationlog_insert_closed_sql called from
 pf::locationlog::locationlog_insert_closed and we failed. Is the database
 running?
 (pf::db::db_query_execute)



 I have setup the controller as per
 example



 Chapter 5

 Wireless LAN Controller (WLC) Web Auth



 Any help would be greatly appreicated







 --
 Slashdot TV.
 Video for Nerds.  Stuff that matters.
 http://tv.slashdot.org/
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC isssues

[PFSupport]

 I have confirmed that the data base is running and I can authenticate against 
the radius server. The client does get an IP address from DHCP and is 
redirected to the captive portal.
 I am not running inline, I am using Vlans to assign client access and ACL on 
the wirless controller.



From: Lupe Silva [lupe.si...@gmail.com]
Sent: Tuesday, August 26, 2014 10:02 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC isssues

1) According to the errors, it seems that your database is not running or you 
have or there is a mis-configuration.
2) Are you running inline?  if not, it sounds to me like an issue of your dhcp 
server setup and the dns server it is sending out.


Lupe Silva



On Mon, Aug 25, 2014 at 1:31 PM, PFSupport 
pfsupp...@qlogitek.commailto:pfsupp...@qlogitek.com wrote:
I am currently running PF 4.3 with a CISCO
wirless controller 2500 series version 8.0.100.0.

I have the system setup to use an
unsecure network for registration and use an ACL to control network access. We
use the PF captive portal to redirect users and register them on the network.

Once my users have registered they are
continually directed to the captive portal and although they are registered and
have proper access receive the messages “Your network  should be enabled ….”.
I see that the user is logged in assigned the role default and the correct VLAN


When I look at the packet fence log I
see



 Aug 25 15:19:49 httpd.webservices(1831) WARN:
database query failed with: Column 'switch' cannot be null (errno: 1048), will
try again (pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) WARN: database query failed with: Column 'switch'
cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) WARN: database query failed with: Column 'switch'
cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) ERROR: Database issue: We tried 3 times to serve query
locationlog_insert_closed_sql called from
pf::locationlog::locationlog_insert_closed and we failed. Is the database
running? (pf::db::db_query_execute)

Aug 25 15:20:17 httpd.webservices(1831)
WARN: unable to convert connection_type to string. called from pf::api
pf::locationlog::locationlog_insert_closed (pf::util::connection_type_to_str)

Aug 25 15:20:17
httpd.webservices(1831) INFO: Asked to insert a locationlog entry with 
connection
type unknown. (pf::locationlog::locationlog_insert_closed)

Aug 25 15:20:17
httpd.webservices(1831) WARN: database query failed with: Column 'switch'
cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

Aug 25 15:20:17 httpd.webservices(1831)
WARN: database query failed with: Column 'switch' cannot be null (errno: 1048),
will try again (pf::db::db_query_execute)

Aug 25 15:20:17
httpd.webservices(1831) WARN: database query failed with: Column 'switch'
cannot be null (errno: 1048), will try again (pf::db::db_query_execute)

Aug 25 15:20:17
httpd.webservices(1831) ERROR: Database issue: We tried 3 times to serve query
locationlog_insert_closed_sql called from
pf::locationlog::locationlog_insert_closed and we failed. Is the database 
running?
(pf::db::db_query_execute)



I have setup the controller as per
example



Chapter 5

Wireless LAN Controller (WLC) Web Auth



Any help would be greatly appreicated






--
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC isssues

[Fabrice DURAND]

Hi PFSupport,

the secret is in radius, can you post the debug of radius request ?
(run radius with radiusd -d /usr/local/pf/raddb/ -X)
And after you register on the portal, pf send a CoA on the port 1700 
(UDP) of the cisco WLC controller. (Can you capture this traffic and 
send it as a pcap file)


Regards
Fabrice



Le 2014-08-26 10:44, PFSupport a écrit :
 I have confirmed that the data base is running and I can authenticate 
against the radius server. The client does get an IP address from DHCP 
and is redirected to the captive portal.
 I am not running inline, I am using Vlans to assign client access and 
ACL on the wirless controller.




*From:* Lupe Silva [lupe.si...@gmail.com]
*Sent:* Tuesday, August 26, 2014 10:02 AM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Cisco WLC isssues

1) According to the errors, it seems that your database is not running 
or you have or there is a mis-configuration.
2) Are you running inline?  if not, it sounds to me like an issue of 
your dhcp server setup and the dns server it is sending out.


Lupe Silva



On Mon, Aug 25, 2014 at 1:31 PM, PFSupport pfsupp...@qlogitek.com 
mailto:pfsupp...@qlogitek.com wrote:


I am currently running PF 4.3 with a CISCO
wirless controller 2500 series version 8.0.100.0.

I have the system setup to use an
unsecure network for registration and use an ACL to control
network access. We
use the PF captive portal to redirect users and register them on
the network.

Once my users have registered they are
continually directed to the captive portal and although they are
registered and
have proper access receive the messages “Your network should be
enabled ….”.
I see that the user is logged in assigned the role default and the
correct VLAN


When I look at the packet fence log I
see



 Aug 25 15:19:49 httpd.webservices(1831) WARN:
database query failed with: Column 'switch' cannot be null (errno:
1048), will
try again (pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) ERROR: Database issue: We tried 3 times to
serve query
locationlog_insert_closed_sql called from
pf::locationlog::locationlog_insert_closed and we failed. Is the
database
running? (pf::db::db_query_execute)

Aug 25 15:20:17 httpd.webservices(1831)
WARN: unable to convert connection_type to string. called from pf::api
pf::locationlog::locationlog_insert_closed
(pf::util::connection_type_to_str)

Aug 25 15:20:17
httpd.webservices(1831) INFO: Asked to insert a locationlog entry
with connection
type unknown. (pf::locationlog::locationlog_insert_closed)

Aug 25 15:20:17
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:20:17 httpd.webservices(1831)
WARN: database query failed with: Column 'switch' cannot be null
(errno: 1048),
will try again (pf::db::db_query_execute)

Aug 25 15:20:17
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:20:17
httpd.webservices(1831) ERROR: Database issue: We tried 3 times to
serve query
locationlog_insert_closed_sql called from
pf::locationlog::locationlog_insert_closed and we failed. Is the
database running?
(pf::db::db_query_execute)



I have setup the controller as per
example



Chapter 5

Wireless LAN Controller (WLC) Web Auth



Any help would be greatly appreicated







--
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




--
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse

Re: [PacketFence-users] Cisco WLC isssues

[PFSupport]

Sure here is the debug

Ready to process requests.
rad_recv: Access-Request packet from host 172.16.32.30 port 32768, id=213, 
length=167
User-Name = 0026c7a88a3e
Called-Station-Id = 3c:0e:23:89:b0:40:1010
Calling-Station-Id = 00:26:c7:a8:8a:3e
NAS-Port = 1
NAS-IP-Address = 172.16.32.30
NAS-Identifier = Wlan_core1
Airespace-Wlan-Id = 3
User-Password = 0026c7a88a3e
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 2060
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = 0026c7a88a3e, looking up realm NULL
[suffix] No such realm NULL
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} - 172.16.32.30
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Calling-Station-Id = 00:26:c7:a8:8a:3e
rlm_perl: Added pair Called-Station-Id = 3c:0e:23:89:b0:40:1010
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.16.32.30
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair User-Password = 0026c7a88a3e
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair Tunnel-Private-Group-Id = 2060
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [0026c7a88a3e] (from client 172.16.32.30 port 1 cli 00:26:c7:a8:8a:3e)
} # server packetfence
# Executing section post-auth from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP))
? Evaluating !(EAP-Type ) - TRUE
?? Skipping (EAP-Type != EAP-TTLS  )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) - TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
rlm_perl: Returning vlan 3100 to request from 00:26:c7:a8:8a:3e port 1
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Called-Station-Id = 3c:0e:23:89:b0:40:1010
rlm_perl: Added pair Calling-Station-Id = 00:26:c7:a8:8a:3e
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.16.32.30
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair User-Password = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Tunnel-Private-Group-Id = 2060
rlm_perl: Added pair Tunnel-Private-Group-ID = 3100
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair Airespace-ACL-Name = Authorize_any
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
+++[packetfence] = ok
++} # if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) = ok
+} # group post-auth = ok
Sending Access-Accept of id 213 to 172.16.32.30 port 32768
Tunnel-Private-Group-Id:0 = 3100
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Airespace-ACL-Name = Authorize_any
Finished request 0.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 213 with timestamp +336
Ready to process requests.


From: Fabrice DURAND [fdur...@inverse.ca]
Sent: Tuesday, August 26, 2014 11:24 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC isssues

Hi PFSupport,

the secret is in radius, can you post the debug of radius request ?
(run radius with radiusd -d

Re: [PacketFence-users] Cisco WLC isssues

[Fabrice DURAND]

 in 4.8 seconds.
Cleaning up request 0 ID 213 with timestamp +336
Ready to process requests.


*From:* Fabrice DURAND [fdur...@inverse.ca]
*Sent:* Tuesday, August 26, 2014 11:24 AM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Cisco WLC isssues

Hi PFSupport,

the secret is in radius, can you post the debug of radius request ?
(run radius with radiusd -d /usr/local/pf/raddb/ -X)
And after you register on the portal, pf send a CoA on the port 1700 
(UDP) of the cisco WLC controller. (Can you capture this traffic and 
send it as a pcap file)


Regards
Fabrice



Le 2014-08-26 10:44, PFSupport a écrit :
 I have confirmed that the data base is running and I can 
authenticate against the radius server. The client does get an IP 
address from DHCP and is redirected to the captive portal.
 I am not running inline, I am using Vlans to assign client access 
and ACL on the wirless controller.




*From:* Lupe Silva [lupe.si...@gmail.com]
*Sent:* Tuesday, August 26, 2014 10:02 AM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Cisco WLC isssues

1) According to the errors, it seems that your database is not 
running or you have or there is a mis-configuration.
2) Are you running inline?  if not, it sounds to me like an issue of 
your dhcp server setup and the dns server it is sending out.


Lupe Silva



On Mon, Aug 25, 2014 at 1:31 PM, PFSupport pfsupp...@qlogitek.com 
mailto:pfsupp...@qlogitek.com wrote:


I am currently running PF 4.3 with a CISCO
wirless controller 2500 series version 8.0.100.0.

I have the system setup to use an
unsecure network for registration and use an ACL to control
network access. We
use the PF captive portal to redirect users and register them on
the network.

Once my users have registered they are
continually directed to the captive portal and although they are
registered and
have proper access receive the messages “Your network  should be
enabled ….”.
I see that the user is logged in assigned the role default and
the correct VLAN


When I look at the packet fence log I
see



 Aug 25 15:19:49 httpd.webservices(1831) WARN:
database query failed with: Column 'switch' cannot be null
(errno: 1048), will
try again (pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:19:49
httpd.webservices(1831) ERROR: Database issue: We tried 3 times
to serve query
locationlog_insert_closed_sql called from
pf::locationlog::locationlog_insert_closed and we failed. Is the
database
running? (pf::db::db_query_execute)

Aug 25 15:20:17 httpd.webservices(1831)
WARN: unable to convert connection_type to string. called from
pf::api
pf::locationlog::locationlog_insert_closed
(pf::util::connection_type_to_str)

Aug 25 15:20:17
httpd.webservices(1831) INFO: Asked to insert a locationlog entry
with connection
type unknown. (pf::locationlog::locationlog_insert_closed)

Aug 25 15:20:17
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:20:17 httpd.webservices(1831)
WARN: database query failed with: Column 'switch' cannot be null
(errno: 1048),
will try again (pf::db::db_query_execute)

Aug 25 15:20:17
httpd.webservices(1831) WARN: database query failed with: Column
'switch'
cannot be null (errno: 1048), will try again
(pf::db::db_query_execute)

Aug 25 15:20:17
httpd.webservices(1831) ERROR: Database issue: We tried 3 times
to serve query
locationlog_insert_closed_sql called from
pf::locationlog::locationlog_insert_closed and we failed. Is the
database running?
(pf::db::db_query_execute)



I have setup the controller as per
example



Chapter 5

Wireless LAN Controller (WLC) Web Auth



Any help would be greatly appreicated







--
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
mailto:PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC isssues

[PFSupport]

I changed to the other auth module and the problem remains, I do not see the 
answer as per your email to when I run a debug.

From: Fabrice DURAND [fdur...@inverse.ca]
Sent: Tuesday, August 26, 2014 1:47 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC isssues

Ok so it look that you use the wrong module for web auth.
Use Cisco Wireless Controller (WLC HTTP).


After you will be able to have this type of answer:

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' = 
[url-redirect-acl=$role,url-redirect=.$this-{'_portalURL'}./cep$session_id{_session_id}],
};


Le 2014-08-26 13:42, PFSupport a écrit :
Sure here is the debug

Ready to process requests.
rad_recv: Access-Request packet from host 172.16.32.30 port 32768, id=213, 
length=167
User-Name = 0026c7a88a3e
Called-Station-Id = 3c:0e:23:89:b0:40:1010
Calling-Station-Id = 00:26:c7:a8:8a:3e
NAS-Port = 1
NAS-IP-Address = 172.16.32.30
NAS-Identifier = Wlan_core1
Airespace-Wlan-Id = 3
User-Password = 0026c7a88a3e
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 2060
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = 0026c7a88a3e, looking up realm NULL
[suffix] No such realm NULL
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} - 172.16.32.30
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Calling-Station-Id = 00:26:c7:a8:8a:3e
rlm_perl: Added pair Called-Station-Id = 3c:0e:23:89:b0:40:1010
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.16.32.30
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair User-Password = 0026c7a88a3e
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair Tunnel-Private-Group-Id = 2060
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [0026c7a88a3e] (from client 172.16.32.30 port 1 cli 00:26:c7:a8:8a:3e)
} # server packetfence
# Executing section post-auth from file 
/usr/local/pf/raddb//sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP))
? Evaluating !(EAP-Type ) - TRUE
?? Skipping (EAP-Type != EAP-TTLS  )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) - TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
rlm_perl: Returning vlan 3100 to request from 00:26:c7:a8:8a:3e port 1
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Called-Station-Id = 3c:0e:23:89:b0:40:1010
rlm_perl: Added pair Calling-Station-Id = 00:26:c7:a8:8a:3e
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.16.32.30
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair User-Password = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Tunnel-Private-Group-Id = 2060
rlm_perl: Added pair Tunnel-Private-Group-ID = 3100
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair Airespace-ACL-Name = Authorize_any
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
+++[packetfence] = ok
++} # if (!EAP-Type

Re: [PacketFence-users] Cisco WLC isssues

[Durand fabrice]

So what is the answer ?, something different ?

Regards
Fabrice

Le 2014-08-26 15:23, PFSupport a écrit :
I changed to the other auth module and the problem remains, I do not 
see the answer as per your email to when I run a debug.


*From:* Fabrice DURAND [fdur...@inverse.ca]
*Sent:* Tuesday, August 26, 2014 1:47 PM
*To:* packetfence-users@lists.sourceforge.net
*Subject:* Re: [PacketFence-users] Cisco WLC isssues

Ok so it look that you use the wrong module for web auth.
Use Cisco Wireless Controller (WLC HTTP).


After you will be able to have this type of answer:

$radius_reply_ref = {
'User-Name' = $mac,
'Cisco-AVPair' = 
[url-redirect-acl=$role,url-redirect=.$this-{'_portalURL'}./cep$session_id{_session_id}],

};


Le 2014-08-26 13:42, PFSupport a écrit :

Sure here is the debug

Ready to process requests.
rad_recv: Access-Request packet from host 172.16.32.30 port 32768, 
id=213, length=167

User-Name = 0026c7a88a3e
Called-Station-Id = 3c:0e:23:89:b0:40:1010
Calling-Station-Id = 00:26:c7:a8:8a:3e
NAS-Port = 1
NAS-IP-Address = 172.16.32.30
NAS-Identifier = Wlan_core1
Airespace-Wlan-Id = 3
User-Password = 0026c7a88a3e
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 2060
server packetfence {
# Executing section authorize from file 
/usr/local/pf/raddb//sites-enabled/packetfence

+group authorize {
[suffix] No '@' in User-Name = 0026c7a88a3e, looking up realm NULL
[suffix] No such realm NULL
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} - 172.16.32.30
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Calling-Station-Id = 00:26:c7:a8:8a:3e
rlm_perl: Added pair Called-Station-Id = 3c:0e:23:89:b0:40:1010
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.16.32.30
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair User-Password = 0026c7a88a3e
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair Tunnel-Private-Group-Id = 2060
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [0026c7a88a3e] (from client 172.16.32.30 port 1 cli 
00:26:c7:a8:8a:3e)

} # server packetfence
# Executing section post-auth from file 
/usr/local/pf/raddb//sites-enabled/packetfence

+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP))
? Evaluating !(EAP-Type ) - TRUE
?? Skipping (EAP-Type != EAP-TTLS  )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) - TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS   EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
rlm_perl: Returning vlan 3100 to request from 00:26:c7:a8:8a:3e port 1
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Called-Station-Id = 3c:0e:23:89:b0:40:1010
rlm_perl: Added pair Calling-Station-Id = 00:26:c7:a8:8a:3e
rlm_perl: Added pair Airespace-Wlan-Id = 3
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.16.32.30
rlm_perl: Added pair User-Name = 0026c7a88a3e
rlm_perl: Added pair User-Password = 0026c7a88a3e
rlm_perl: Added pair NAS-Identifier = Wlan_core1
rlm_perl: Added pair NAS-IP-Address = 172.16.32.30
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Tunnel-Private-Group-Id = 2060
rlm_perl: Added pair Tunnel-Private-Group-ID = 3100
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair Airespace-ACL-Name = Authorize_any
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair

Re: [PacketFence-users] CISCO WLC and DHCP bug

[luca comes]

Fletcher you are my salvation! :-)
I made the configuration you suggested and now it works (there was also an 
incorrect rule on the core firewall which prevented DHCP requests from the 
guest interface). I don't understand why cisco WLC (I have the virtual 
appliance) needs to manage DHCP traffic from the clients but now it works fine, 
the only problem is that it doesn't do redirection after re-authentication but 
it's less critical.

Thanks

Luca

Date: Mon, 21 Jul 2014 09:22:04 -0700
From: fhay...@willamette.edu
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

I am using PF with a WiSM2 on 7.6.120, so I know it works. =) I suspect there 
is just something wrong with your configuration.
So a few notes:You shouldn't need to configure ip helper on the cores for 
wireless clients. This is because, when you do central switching, the WiSM 
needs to handle the DHCP forwarding. Basically, when you configure DHCP Proxy 
on the core, you are using a version of ip helper. The cores are not going to 
see DHCP packets coming from the wireless clients, as they will be CAPWAP 
packets going to the controller. The controller will then forward it to the 
DHCP server.

The proper way to configure DHCP Proxy for our WiSM 2 was:In the WLC web 
interface, click Controller along the topClick DHCP under Advanced in the left 
hand menuMake sure Enable DHCP proxy is checked
DHCP Option 82 should be binaryRemote Id field format should be AP-MACClick 
interfaces from the left hand menuGo into the menu for the appropriate 
interfaceConfigure the DHCP Information section with the IPs of your DHCP 
servers
For DHCP Proxy Mode select GlobalCan you try that config, take a tcpdump from 
the DHCP server and the client for DHCP packets, and post it?



On Mon, Jul 21, 2014 at 8:20 AM, luca comes lucaco...@hotmail.it wrote:




I have all the vlans needed (registration, isolation and guest) configured on 
the controller, infact I can ping PF and vice versa. For the DHCP proxy mode 
I'm not sure what is the correct way but I tried both in global and disabled 
but the behaviour is always the same. The problem is really similar to the bug 
0001050 but I'm not able to solve it. I'm also trying to use PF as dhcp server 
for production environment but it doesn't work. It's really annoying because 
all the other things are working fine and I don't want to throw away months of 
working and testing and replace the system with the Cisco captive portal page.


Luca

Date: Mon, 21 Jul 2014 07:05:56 -0700
From: fhay...@willamette.edu
To: packetfence-users@lists.sourceforge.net

Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

Do you have DHCP proxy configured on the WiSM globally? Have you configured 
interfaces on the WiSM for each VLAN you are using?


On Sun, Jul 20, 2014 at 11:42 PM, luca comes lucaco...@hotmail.it wrote:




Hi Fletcher,
my WLAN is configured for central switching in our datacenter where also the 
DHCP server is located.

Thanks

Luca

Date: Fri, 18 Jul 2014 08:27:56 -0700


From: fhay...@willamette.edu
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug



Are your WLANs configured for central or local switching?

On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:






Hi all,
I've got a strange problem with DHCP after deauthentication. I'm running Cisco 
virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to serve 
wireless guest access through email sposorship. I'm using ISC DHCP Server 4.1.1 
(the all production subnet dhcp server) on CentOS 5.10 to give IP address on 
guest subnet, an IP helper address configuration is made on the core switch to 
make it possible. All seem working fine but after deauthentication client can't 
get IP from dhcp server. I took a dump from the log and from tcpdump and the 
request are arriving correctly on the guest vlan but the server answer wrong 
network! and send DHCPNAK. After that clients don't try to do a new discover 
always forcing to keep the IP they got from registration vlan. Can someone help 
me?




P.S. The problem is the same with windows 7 or linux clients


Thanks

Luca
  

--

Want fast and easy access to all the code in your enterprise? Index and

search up to 200,000 lines of code with a free copy of Black Duck

Code Sight - the same software that powers the world's largest code

search on Ohloh, the Black Duck Open Hub! Try it now.

http://p.sf.net/sfu/bds
___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu


Systems Administrator/Network Services ConsultantWillamette Integrated 
Technology ServicesWillamette University, Salem, OR


Phone

Re: [PacketFence-users] CISCO WLC and DHCP bug

[Fletcher Haynes]

Glad I could help!



On Tue, Jul 22, 2014 at 8:14 AM, luca comes lucaco...@hotmail.it wrote:

 Fletcher you are my salvation! :-)
 I made the configuration you suggested and now it works (there was also an
 incorrect rule on the core firewall which prevented DHCP requests from the
 guest interface). I don't understand why cisco WLC (I have the virtual
 appliance) needs to manage DHCP traffic from the clients but now it works
 fine, the only problem is that it doesn't do redirection after
 re-authentication but it's less critical.

 Thanks

 Luca

 --
 Date: Mon, 21 Jul 2014 09:22:04 -0700

 From: fhay...@willamette.edu
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

 I am using PF with a WiSM2 on 7.6.120, so I know it works. =) I suspect
 there is just something wrong with your configuration.

 So a few notes:
 You shouldn't need to configure ip helper on the cores *for wireless
 clients. *This is because, when you do central switching, the WiSM needs
 to handle the DHCP forwarding. Basically, when you configure DHCP Proxy on
 the core, you are using a version of ip helper. The cores are not going to
 see DHCP packets coming from the wireless clients, as they will be CAPWAP
 packets going to the controller. The controller will then forward it to the
 DHCP server.

 The proper way to configure DHCP Proxy for our WiSM 2 was:

1. In the WLC web interface, click Controller along the top
2. Click DHCP under Advanced in the left hand menu
3. Make sure Enable DHCP proxy is checked
4. DHCP Option 82 should be binary
5. Remote Id field format should be AP-MAC
6. Click interfaces from the left hand menu
7. Go into the menu for the appropriate interface
8. Configure the DHCP Information section with the IPs of your DHCP
servers
9. For DHCP Proxy Mode select Global

 Can you try that config, take a tcpdump from the DHCP server and the
 client for DHCP packets, and post it?



 On Mon, Jul 21, 2014 at 8:20 AM, luca comes lucaco...@hotmail.it wrote:

 I have all the vlans needed (registration, isolation and guest) configured
 on the controller, infact I can ping PF and vice versa. For the DHCP proxy
 mode I'm not sure what is the correct way but I tried both in global and
 disabled but the behaviour is always the same. The problem is really
 similar to the bug 0001050 but I'm not able to solve it. I'm also trying to
 use PF as dhcp server for production environment but it doesn't work. It's
 really annoying because all the other things are working fine and I don't
 want to throw away months of working and testing and replace the system
 with the Cisco captive portal page.

 Luca

 --
 Date: Mon, 21 Jul 2014 07:05:56 -0700

 From: fhay...@willamette.edu
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

 Do you have DHCP proxy configured on the WiSM globally? Have you
 configured interfaces on the WiSM for each VLAN you are using?


 On Sun, Jul 20, 2014 at 11:42 PM, luca comes lucaco...@hotmail.it wrote:

 Hi Fletcher,
 my WLAN is configured for central switching in our datacenter where also
 the DHCP server is located.

 Thanks

 Luca

 --
 Date: Fri, 18 Jul 2014 08:27:56 -0700
 From: fhay...@willamette.edu
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug


 Are your WLANs configured for central or local switching?


 On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:

 Hi all,
 I've got a strange problem with DHCP after deauthentication. I'm running
 Cisco virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to
 serve wireless guest access through email sposorship. I'm using ISC DHCP
 Server 4.1.1 (the all production subnet dhcp server) on CentOS 5.10 to give
 IP address on guest subnet, an IP helper address configuration is made on
 the core switch to make it possible. All seem working fine but after
 deauthentication client can't get IP from dhcp server. I took a dump from
 the log and from tcpdump and the request are arriving correctly on the
 guest vlan but the server answer wrong network! and send DHCPNAK. After
 that clients don't try to do a new discover always forcing to keep the IP
 they got from registration vlan. Can someone help me?

 P.S. The problem is the same with windows 7 or linux clients


 Thanks

 Luca


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 PacketFence-users mailing list
 PacketFence-users

Re: [PacketFence-users] CISCO WLC and DHCP bug

[luca comes]

Hi Fletcher,
my WLAN is configured for central switching in our datacenter where also the 
DHCP server is located.

Thanks

Luca

Date: Fri, 18 Jul 2014 08:27:56 -0700
From: fhay...@willamette.edu
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

Are your WLANs configured for central or local switching?

On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:




Hi all,
I've got a strange problem with DHCP after deauthentication. I'm running Cisco 
virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to serve 
wireless guest access through email sposorship. I'm using ISC DHCP Server 4.1.1 
(the all production subnet dhcp server) on CentOS 5.10 to give IP address on 
guest subnet, an IP helper address configuration is made on the core switch to 
make it possible. All seem working fine but after deauthentication client can't 
get IP from dhcp server. I took a dump from the log and from tcpdump and the 
request are arriving correctly on the guest vlan but the server answer wrong 
network! and send DHCPNAK. After that clients don't try to do a new discover 
always forcing to keep the IP they got from registration vlan. Can someone help 
me?


P.S. The problem is the same with windows 7 or linux clients


Thanks

Luca
  

--

Want fast and easy access to all the code in your enterprise? Index and

search up to 200,000 lines of code with a free copy of Black Duck

Code Sight - the same software that powers the world's largest code

search on Ohloh, the Black Duck Open Hub! Try it now.

http://p.sf.net/sfu/bds
___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu
Systems Administrator/Network Services ConsultantWillamette Integrated 
Technology ServicesWillamette University, Salem, OR
Phone: 503.370.6016


--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users  
  --
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CISCO WLC and DHCP bug

[Fletcher Haynes]

Do you have DHCP proxy configured on the WiSM globally? Have you configured
interfaces on the WiSM for each VLAN you are using?


On Sun, Jul 20, 2014 at 11:42 PM, luca comes lucaco...@hotmail.it wrote:

 Hi Fletcher,
 my WLAN is configured for central switching in our datacenter where also
 the DHCP server is located.

 Thanks

 Luca

 --
 Date: Fri, 18 Jul 2014 08:27:56 -0700
 From: fhay...@willamette.edu
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug


 Are your WLANs configured for central or local switching?


 On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:

 Hi all,
 I've got a strange problem with DHCP after deauthentication. I'm running
 Cisco virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to
 serve wireless guest access through email sposorship. I'm using ISC DHCP
 Server 4.1.1 (the all production subnet dhcp server) on CentOS 5.10 to give
 IP address on guest subnet, an IP helper address configuration is made on
 the core switch to make it possible. All seem working fine but after
 deauthentication client can't get IP from dhcp server. I took a dump from
 the log and from tcpdump and the request are arriving correctly on the
 guest vlan but the server answer wrong network! and send DHCPNAK. After
 that clients don't try to do a new discover always forcing to keep the IP
 they got from registration vlan. Can someone help me?

 P.S. The problem is the same with windows 7 or linux clients


 Thanks

 Luca


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Fletcher Haynes fhay...@willamette.edu
 Systems Administrator/Network Services Consultant
 Willamette Integrated Technology Services
 Willamette University, Salem, OR
 Phone: 503.370.6016

 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck Code
 Sight - the same software that powers the world's largest code search on
 Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
 ___ PacketFence-users mailing
 list PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CISCO WLC and DHCP bug

[luca comes]

I have all the vlans needed (registration, isolation and guest) configured on 
the controller, infact I can ping PF and vice versa. For the DHCP proxy mode 
I'm not sure what is the correct way but I tried both in global and disabled 
but the behaviour is always the same. The problem is really similar to the bug 
0001050 but I'm not able to solve it. I'm also trying to use PF as dhcp server 
for production environment but it doesn't work. It's really annoying because 
all the other things are working fine and I don't want to throw away months of 
working and testing and replace the system with the Cisco captive portal page.

Luca

Date: Mon, 21 Jul 2014 07:05:56 -0700
From: fhay...@willamette.edu
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

Do you have DHCP proxy configured on the WiSM globally? Have you configured 
interfaces on the WiSM for each VLAN you are using?

On Sun, Jul 20, 2014 at 11:42 PM, luca comes lucaco...@hotmail.it wrote:




Hi Fletcher,
my WLAN is configured for central switching in our datacenter where also the 
DHCP server is located.

Thanks

Luca

Date: Fri, 18 Jul 2014 08:27:56 -0700

From: fhay...@willamette.edu
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug


Are your WLANs configured for central or local switching?

On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:





Hi all,
I've got a strange problem with DHCP after deauthentication. I'm running Cisco 
virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to serve 
wireless guest access through email sposorship. I'm using ISC DHCP Server 4.1.1 
(the all production subnet dhcp server) on CentOS 5.10 to give IP address on 
guest subnet, an IP helper address configuration is made on the core switch to 
make it possible. All seem working fine but after deauthentication client can't 
get IP from dhcp server. I took a dump from the log and from tcpdump and the 
request are arriving correctly on the guest vlan but the server answer wrong 
network! and send DHCPNAK. After that clients don't try to do a new discover 
always forcing to keep the IP they got from registration vlan. Can someone help 
me?



P.S. The problem is the same with windows 7 or linux clients


Thanks

Luca
  

--

Want fast and easy access to all the code in your enterprise? Index and

search up to 200,000 lines of code with a free copy of Black Duck

Code Sight - the same software that powers the world's largest code

search on Ohloh, the Black Duck Open Hub! Try it now.

http://p.sf.net/sfu/bds
___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu

Systems Administrator/Network Services ConsultantWillamette Integrated 
Technology ServicesWillamette University, Salem, OR

Phone: 503.370.6016


--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users  
  

--

Want fast and easy access to all the code in your enterprise? Index and

search up to 200,000 lines of code with a free copy of Black Duck

Code Sight - the same software that powers the world's largest code

search on Ohloh, the Black Duck Open Hub! Try it now.

http://p.sf.net/sfu/bds
___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu
Systems Administrator/Network Services ConsultantWillamette Integrated 
Technology ServicesWillamette University, Salem, OR
Phone: 503.370.6016


--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] CISCO WLC and DHCP bug

[Fletcher Haynes]

I am using PF with a WiSM2 on 7.6.120, so I know it works. =) I suspect
there is just something wrong with your configuration.

So a few notes:
You shouldn't need to configure ip helper on the cores *for wireless
clients. *This is because, when you do central switching, the WiSM needs to
handle the DHCP forwarding. Basically, when you configure DHCP Proxy on the
core, you are using a version of ip helper. The cores are not going to see
DHCP packets coming from the wireless clients, as they will be CAPWAP
packets going to the controller. The controller will then forward it to the
DHCP server.

The proper way to configure DHCP Proxy for our WiSM 2 was:

   1. In the WLC web interface, click Controller along the top
   2. Click DHCP under Advanced in the left hand menu
   3. Make sure Enable DHCP proxy is checked
   4. DHCP Option 82 should be binary
   5. Remote Id field format should be AP-MAC
   6. Click interfaces from the left hand menu
   7. Go into the menu for the appropriate interface
   8. Configure the DHCP Information section with the IPs of your DHCP
   servers
   9. For DHCP Proxy Mode select Global

Can you try that config, take a tcpdump from the DHCP server and the client
for DHCP packets, and post it?



On Mon, Jul 21, 2014 at 8:20 AM, luca comes lucaco...@hotmail.it wrote:

 I have all the vlans needed (registration, isolation and guest) configured
 on the controller, infact I can ping PF and vice versa. For the DHCP proxy
 mode I'm not sure what is the correct way but I tried both in global and
 disabled but the behaviour is always the same. The problem is really
 similar to the bug 0001050 but I'm not able to solve it. I'm also trying to
 use PF as dhcp server for production environment but it doesn't work. It's
 really annoying because all the other things are working fine and I don't
 want to throw away months of working and testing and replace the system
 with the Cisco captive portal page.

 Luca

 --
 Date: Mon, 21 Jul 2014 07:05:56 -0700

 From: fhay...@willamette.edu
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug

 Do you have DHCP proxy configured on the WiSM globally? Have you
 configured interfaces on the WiSM for each VLAN you are using?


 On Sun, Jul 20, 2014 at 11:42 PM, luca comes lucaco...@hotmail.it wrote:

 Hi Fletcher,
 my WLAN is configured for central switching in our datacenter where also
 the DHCP server is located.

 Thanks

 Luca

 --
 Date: Fri, 18 Jul 2014 08:27:56 -0700
 From: fhay...@willamette.edu
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] CISCO WLC and DHCP bug


 Are your WLANs configured for central or local switching?


 On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:

 Hi all,
 I've got a strange problem with DHCP after deauthentication. I'm running
 Cisco virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to
 serve wireless guest access through email sposorship. I'm using ISC DHCP
 Server 4.1.1 (the all production subnet dhcp server) on CentOS 5.10 to give
 IP address on guest subnet, an IP helper address configuration is made on
 the core switch to make it possible. All seem working fine but after
 deauthentication client can't get IP from dhcp server. I took a dump from
 the log and from tcpdump and the request are arriving correctly on the
 guest vlan but the server answer wrong network! and send DHCPNAK. After
 that clients don't try to do a new discover always forcing to keep the IP
 they got from registration vlan. Can someone help me?

 P.S. The problem is the same with windows 7 or linux clients


 Thanks

 Luca


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 Fletcher Haynes fhay...@willamette.edu
 Systems Administrator/Network Services Consultant
 Willamette Integrated Technology Services
 Willamette University, Salem, OR
 Phone: 503.370.6016

 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck Code
 Sight - the same software that powers the world's largest code search on
 Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
 ___ PacketFence-users mailing
 list PacketFence-users@lists.sourceforge.net
 https

Re: [PacketFence-users] CISCO WLC and DHCP bug

[Fletcher Haynes]

Are your WLANs configured for central or local switching?


On Fri, Jul 18, 2014 at 8:22 AM, luca comes lucaco...@hotmail.it wrote:

 Hi all,
 I've got a strange problem with DHCP after deauthentication. I'm running
 Cisco virtual WLC (last release 7.6.120) and Packetfence 4.3.0 deployed to
 serve wireless guest access through email sposorship. I'm using ISC DHCP
 Server 4.1.1 (the all production subnet dhcp server) on CentOS 5.10 to give
 IP address on guest subnet, an IP helper address configuration is made on
 the core switch to make it possible. All seem working fine but after
 deauthentication client can't get IP from dhcp server. I took a dump from
 the log and from tcpdump and the request are arriving correctly on the
 guest vlan but the server answer wrong network! and send DHCPNAK. After
 that clients don't try to do a new discover always forcing to keep the IP
 they got from registration vlan. Can someone help me?

 P.S. The problem is the same with windows 7 or linux clients


 Thanks

 Luca


 --
 Want fast and easy access to all the code in your enterprise? Index and
 search up to 200,000 lines of code with a free copy of Black Duck
 Code Sight - the same software that powers the world's largest code
 search on Ohloh, the Black Duck Open Hub! Try it now.
 http://p.sf.net/sfu/bds
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




-- 
Fletcher Haynes fhay...@willamette.edu
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
--
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Sallee, Jake]

-SNIP-
Right now as it stands, if a users chooses the private SSID, and authenticates, 
they are sent to the appropriate. VLAN (staff or student).  If that users then 
chooses the public SSID, they will go there fine still on their appropriate 
vlan they had registered with earlier, but in a wide open WLAN.   Is this how 
it should happen?
-/SNIP-

Can you elaborate on this a bit?  Are the users supposed to be on a different 
vlan for the public ssid?  If so, how are you setting that vlan?  Is it through 
PF or on the WLC?

I am also running PF through a 5508 but with a slightly different setup.  I am 
using a single ssid but assigning different vlans based on user roles and 
credentials.

I will be AFK for a bit but I will respond as soon as I can when I see your 
response.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Lupe Silva [lupe.si...@gmail.com]
Sent: Monday, June 16, 2014 6:57 PM
To: packetfence-users@lists.sourceforge.net
Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs

I have PacketFence working with my Cisco WLC 5508 with both a private and 
public SSID. as per instructions. The private uses 802.1x authentication with 
WPA2.  The public open will use PF portal to get users registered.

I basically have 3 vlan, staff, students and guest (plus registration and 
isolation) with the two SSID's, private and public.

Right now as it stands, if a users chooses the private SSID, and authenticates, 
they are sent to the appropriate. VLAN (staff or student).  If that users then 
chooses the public SSID, they will go there fine still on their appropriate 
vlan they had registered with earlier, but in a wide open WLAN.   Is this how 
it should happen?

Since PF and the CISCO WLC do not sent SSID back and forth, is there a way to 
configure  the public SSID so it can only have access to the public VLAN (and 
registration and isolation)?  If a device was registered as guest or staff, I 
would like it to change its registration to guest so it will not compromise 
security.

Thanks in advance.


Lupe Silva


--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing  Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Lupe Silva]

Thanks for the response.
My objective is as follows:
One private SSID for staff and students that uses WPA2/802.1X that assigns
to the vlan according to their role.  We have Active Directory and with
this setup, users only need to log into their workstations and their roles
will be assigned accordingly.

I want a separate public SSID for guests.  Using the PF Docs, i am creating
an open wlan with mac filtering.  I want the guests to use PF portal to
give us their name, email, etc  to register their device and then they
would only have access to guest network.

Right now PF sets the vlans on the WLC (again per the PF documentation).

I have the SSID's working as expected, however, the issue occurs when a
machine is initially registered as a staff or student  roll, then (although
this should not happen), if a user were to switch their SSID from the the
private SSID to the public SSID, they will get the vlan assigned to their
roll they got when registered on the private SSID.  So, they are using the
public SSID with no encryption accessing our internal resources.



Lupe Silva



On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake jake.sal...@umhb.edu wrote:

 -SNIP-
 Right now as it stands, if a users chooses the private SSID, and
 authenticates, they are sent to the appropriate. VLAN (staff or student).
  If that users then chooses the public SSID, they will go there fine still
 on their appropriate vlan they had registered with earlier, but in a wide
 open WLAN.   Is this how it should happen?
 -/SNIP-

 Can you elaborate on this a bit?  Are the users supposed to be on a
 different vlan for the public ssid?  If so, how are you setting that vlan?
  Is it through PF or on the WLC?

 I am also running PF through a 5508 but with a slightly different setup.
  I am using a single ssid but assigning different vlans based on user roles
 and credentials.

 I will be AFK for a bit but I will respond as soon as I can when I see
 your response.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.com]
 Sent: Monday, June 16, 2014 6:57 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs

 I have PacketFence working with my Cisco WLC 5508 with both a private and
 public SSID. as per instructions. The private uses 802.1x authentication
 with WPA2.  The public open will use PF portal to get users registered.

 I basically have 3 vlan, staff, students and guest (plus registration and
 isolation) with the two SSID's, private and public.

 Right now as it stands, if a users chooses the private SSID, and
 authenticates, they are sent to the appropriate. VLAN (staff or student).
  If that users then chooses the public SSID, they will go there fine still
 on their appropriate vlan they had registered with earlier, but in a wide
 open WLAN.   Is this how it should happen?

 Since PF and the CISCO WLC do not sent SSID back and forth, is there a way
 to configure  the public SSID so it can only have access to the public VLAN
 (and registration and isolation)?  If a device was registered as guest or
 staff, I would like it to change its registration to guest so it will not
 compromise security.

 Thanks in advance.


 Lupe Silva



 --
 HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
 Find What Matters Most in Your Big Data with HPCC Systems
 Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
 Leverages Graph Analysis for Fast Processing  Easy Data Exploration
 http://p.sf.net/sfu/hpccsystems
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing  Easy Data Exploration
http://p.sf.net/sfu/hpccsystems___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Lupe Silva]

Thanks for the reply.

Yes, a re-evaluation would have been good.  I did have rules in my sources
to define rules on SSID, but like you said, it did not re-evaluate.

However, after a day of digging through the PF code, I have made a few
changes and got something to work.
1) I changed my WLC radius configuration Acct Call Station ID Type and
Auth Call Station ID Type to AP MAC Address:SSID and MAC Delimiter to
Colon.  With this change I am now getting SSID info from WLC into PF.

2) I added extra perl code to vlan.pm (I will move it to vlan custom) that
evaluates the SSID when the connection type is WIRELESS_MAC_AUTH.  If the
SSID is the guest ID and the current role of the node is not isolation or
is not registration, then return the role of guest.

It is working I would like now.

Although I have made the code changes and modifications, is/was there
another way to do this?

Lupe



Lupe Silva



On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake jake.sal...@umhb.edu wrote:

 What it sounds like is you want the user's role to be re-evaluated on
 every connection, right?

 How are you assigning the role now?

 In the sources config, do you have a rule that assigns the role based on
 the SSID?

 I don't know if the rules in your sources config get evaluated every time
 (it would be nice) and I also don't know if the rules are first-match-exit
 or fall-through.  But it seems like a good place to start.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.com]
 Sent: Tuesday, June 17, 2014 10:14 AM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Thanks for the response.
 My objective is as follows:
 One private SSID for staff and students that uses WPA2/802.1X that assigns
 to the vlan according to their role.  We have Active Directory and with
 this setup, users only need to log into their workstations and their roles
 will be assigned accordingly.

 I want a separate public SSID for guests.  Using the PF Docs, i am
 creating an open wlan with mac filtering.  I want the guests to use PF
 portal to give us their name, email, etc  to register their device and then
 they would only have access to guest network.

 Right now PF sets the vlans on the WLC (again per the PF documentation).

 I have the SSID's working as expected, however, the issue occurs when a
 machine is initially registered as a staff or student  roll, then (although
 this should not happen), if a user were to switch their SSID from the the
 private SSID to the public SSID, they will get the vlan assigned to their
 roll they got when registered on the private SSID.  So, they are using the
 public SSID with no encryption accessing our internal resources.



 Lupe Silva



 On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake jake.sal...@umhb.edu
 mailto:jake.sal...@umhb.edu wrote:
 -SNIP-
 Right now as it stands, if a users chooses the private SSID, and
 authenticates, they are sent to the appropriate. VLAN (staff or student).
  If that users then chooses the public SSID, they will go there fine still
 on their appropriate vlan they had registered with earlier, but in a wide
 open WLAN.   Is this how it should happen?
 -/SNIP-

 Can you elaborate on this a bit?  Are the users supposed to be on a
 different vlan for the public ssid?  If so, how are you setting that vlan?
  Is it through PF or on the WLC?

 I am also running PF through a 5508 but with a slightly different setup.
  I am using a single ssid but assigning different vlans based on user roles
 and credentials.

 I will be AFK for a bit but I will respond as soon as I can when I see
 your response.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDUhttp://WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658tel:254-295-4658
 Phax: 254-295-4221tel:254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.commailto:lupe.si...@gmail.com]
 Sent: Monday, June 16, 2014 6:57 PM
 To: packetfence-users@lists.sourceforge.netmailto:
 packetfence-users@lists.sourceforge.net
 Subject: [PacketFence-users] Cisco WLC, Private and Public WLANs

 I have PacketFence working with my Cisco WLC 5508 with both a private and
 public SSID. as per instructions. The private uses 802.1x authentication
 with WPA2.  The public open will use PF portal to get users registered.

 I basically have 3 vlan, staff, students and guest (plus registration and
 isolation) with the two SSID's, private and public.

 Right now as it stands, if a users chooses the private SSID, and
 authenticates, they are sent to the appropriate. VLAN (staff or student).
  If that users then chooses the public SSID, they will go there fine still
 on their appropriate vlan they had

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Sallee, Jake]

I think the cleanest solution would be to have the roles re-evaluated on each 
connection.  Otherwise I think what you are doing is probably the way to do it.

***TO THE PF DEVS***

What is the reasoning behind never re-evaluating the roles assigned to a user?  
Is the process particularly resource intensive? If the roles were evaluated on 
every connection it could make the role mechanic much more powerful.

For example: I never want anyone on my unencrypted wifi to be on the 
administrative vlan. I could set a rule that makes the role of anyone who 
connects to that SSID to my untrusted vlan. The next time that person hit my 
encrypted wifi they would then be given the vlan their credentials say they 
should be on.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

From: Lupe Silva [lupe.si...@gmail.com]
Sent: Tuesday, June 17, 2014 3:29 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

Thanks for the reply.

Yes, a re-evaluation would have been good.  I did have rules in my sources to 
define rules on SSID, but like you said, it did not re-evaluate.

However, after a day of digging through the PF code, I have made a few changes 
and got something to work.
1) I changed my WLC radius configuration Acct Call Station ID Type and Auth 
Call Station ID Type to AP MAC Address:SSID and MAC Delimiter to Colon.  
With this change I am now getting SSID info from WLC into PF.

2) I added extra perl code to vlan.pmhttp://vlan.pm (I will move it to vlan 
custom) that evaluates the SSID when the connection type is WIRELESS_MAC_AUTH.  
If the SSID is the guest ID and the current role of the node is not isolation 
or is not registration, then return the role of guest.

It is working I would like now.

Although I have made the code changes and modifications, is/was there another 
way to do this?

Lupe



Lupe Silva



On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
What it sounds like is you want the user's role to be re-evaluated on every 
connection, right?

How are you assigning the role now?

In the sources config, do you have a rule that assigns the role based on the 
SSID?

I don't know if the rules in your sources config get evaluated every time (it 
would be nice) and I also don't know if the rules are first-match-exit or 
fall-through.  But it seems like a good place to start.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDUhttp://WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658tel:254-295-4658
Phax: 254-295-4221tel:254-295-4221

From: Lupe Silva [lupe.si...@gmail.commailto:lupe.si...@gmail.com]
Sent: Tuesday, June 17, 2014 10:14 AM
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

Thanks for the response.
My objective is as follows:
One private SSID for staff and students that uses WPA2/802.1X that assigns to 
the vlan according to their role.  We have Active Directory and with this 
setup, users only need to log into their workstations and their roles will be 
assigned accordingly.

I want a separate public SSID for guests.  Using the PF Docs, i am creating an 
open wlan with mac filtering.  I want the guests to use PF portal to give us 
their name, email, etc  to register their device and then they would only have 
access to guest network.

Right now PF sets the vlans on the WLC (again per the PF documentation).

I have the SSID's working as expected, however, the issue occurs when a machine 
is initially registered as a staff or student  roll, then (although this should 
not happen), if a user were to switch their SSID from the the private SSID to 
the public SSID, they will get the vlan assigned to their roll they got when 
registered on the private SSID.  So, they are using the public SSID with no 
encryption accessing our internal resources.



Lupe Silva



On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake 
jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
 wrote:
-SNIP-
Right now as it stands, if a users chooses the private SSID, and authenticates, 
they are sent to the appropriate. VLAN (staff or student).  If that users then 
chooses the public SSID, they will go there fine still on their appropriate 
vlan they had registered with earlier, but in a wide open WLAN.   Is this how 
it should happen?
-/SNIP-

Can you elaborate on this a bit?  Are the users supposed to be on a different 
vlan for the public ssid?  If so, how are you setting that vlan?  Is it through 
PF or on the WLC?

I am also running PF through a 5508 but with a slightly different setup.  I

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Durand fabrice]

Hi all,

in the incoming 4.3 release we introduce vlan filter, the goal of this 
feature is to remove a part of the custom code from vlan/custom.pm to a 
configuration file.
An example is better than a complex explanation.

https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example

So with that you can easily force the role to guest on the open ssid 
even if you have been reg on the secure ssid with the staff role.

Regards
Fabrice

Le 2014-06-17 17:09, Sallee, Jake a écrit :
 I think the cleanest solution would be to have the roles re-evaluated on each 
 connection.  Otherwise I think what you are doing is probably the way to do 
 it.

 ***TO THE PF DEVS***

 What is the reasoning behind never re-evaluating the roles assigned to a 
 user?  Is the process particularly resource intensive? If the roles were 
 evaluated on every connection it could make the role mechanic much more 
 powerful.

 For example: I never want anyone on my unencrypted wifi to be on the 
 administrative vlan. I could set a rule that makes the role of anyone who 
 connects to that SSID to my untrusted vlan. The next time that person hit my 
 encrypted wifi they would then be given the vlan their credentials say they 
 should be on.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.com]
 Sent: Tuesday, June 17, 2014 3:29 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Thanks for the reply.

 Yes, a re-evaluation would have been good.  I did have rules in my sources to 
 define rules on SSID, but like you said, it did not re-evaluate.

 However, after a day of digging through the PF code, I have made a few 
 changes and got something to work.
 1) I changed my WLC radius configuration Acct Call Station ID Type and 
 Auth Call Station ID Type to AP MAC Address:SSID and MAC Delimiter to 
 Colon.  With this change I am now getting SSID info from WLC into PF.

 2) I added extra perl code to vlan.pmhttp://vlan.pm (I will move it to vlan 
 custom) that evaluates the SSID when the connection type is 
 WIRELESS_MAC_AUTH.  If the SSID is the guest ID and the current role of the 
 node is not isolation or is not registration, then return the role of guest.

 It is working I would like now.

 Although I have made the code changes and modifications, is/was there another 
 way to do this?

 Lupe



 Lupe Silva



 On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake 
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 What it sounds like is you want the user's role to be re-evaluated on every 
 connection, right?

 How are you assigning the role now?

 In the sources config, do you have a rule that assigns the role based on the 
 SSID?

 I don't know if the rules in your sources config get evaluated every time (it 
 would be nice) and I also don't know if the rules are first-match-exit or 
 fall-through.  But it seems like a good place to start.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDUhttp://WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658tel:254-295-4658
 Phax: 254-295-4221tel:254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.commailto:lupe.si...@gmail.com]
 Sent: Tuesday, June 17, 2014 10:14 AM
 To: 
 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Thanks for the response.
 My objective is as follows:
 One private SSID for staff and students that uses WPA2/802.1X that assigns to 
 the vlan according to their role.  We have Active Directory and with this 
 setup, users only need to log into their workstations and their roles will be 
 assigned accordingly.

 I want a separate public SSID for guests.  Using the PF Docs, i am creating 
 an open wlan with mac filtering.  I want the guests to use PF portal to give 
 us their name, email, etc  to register their device and then they would only 
 have access to guest network.

 Right now PF sets the vlans on the WLC (again per the PF documentation).

 I have the SSID's working as expected, however, the issue occurs when a 
 machine is initially registered as a staff or student  roll, then (although 
 this should not happen), if a user were to switch their SSID from the the 
 private SSID to the public SSID, they will get the vlan assigned to their 
 roll they got when registered on the private SSID.  So, they are using the 
 public SSID with no encryption accessing our internal resources.



 Lupe Silva



 On Tue, Jun 17, 2014 at 7:52 AM, Sallee, Jake 
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edumailto:jake.sal...@umhb.edu
  wrote:
 -SNIP

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Sallee, Jake]

That sounds great!

However, will that role be re-evaluated on every connection? That seems to be 
the sticking point. 

From the example you gave it looks like it hooks into the GetNormalVlanForNode 
method in which case it would get re-eval'ed on every connection which is 
exactly what we would like.  I just want to make sure I am reading it 
correctly.


Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Durand fabrice [fdur...@inverse.ca]
Sent: Tuesday, June 17, 2014 4:21 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

Hi all,

in the incoming 4.3 release we introduce vlan filter, the goal of this
feature is to remove a part of the custom code from vlan/custom.pm to a
configuration file.
An example is better than a complex explanation.

https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example

So with that you can easily force the role to guest on the open ssid
even if you have been reg on the secure ssid with the staff role.

Regards
Fabrice

Le 2014-06-17 17:09, Sallee, Jake a écrit :
 I think the cleanest solution would be to have the roles re-evaluated on each 
 connection.  Otherwise I think what you are doing is probably the way to do 
 it.

 ***TO THE PF DEVS***

 What is the reasoning behind never re-evaluating the roles assigned to a 
 user?  Is the process particularly resource intensive? If the roles were 
 evaluated on every connection it could make the role mechanic much more 
 powerful.

 For example: I never want anyone on my unencrypted wifi to be on the 
 administrative vlan. I could set a rule that makes the role of anyone who 
 connects to that SSID to my untrusted vlan. The next time that person hit my 
 encrypted wifi they would then be given the vlan their credentials say they 
 should be on.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.com]
 Sent: Tuesday, June 17, 2014 3:29 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Thanks for the reply.

 Yes, a re-evaluation would have been good.  I did have rules in my sources to 
 define rules on SSID, but like you said, it did not re-evaluate.

 However, after a day of digging through the PF code, I have made a few 
 changes and got something to work.
 1) I changed my WLC radius configuration Acct Call Station ID Type and 
 Auth Call Station ID Type to AP MAC Address:SSID and MAC Delimiter to 
 Colon.  With this change I am now getting SSID info from WLC into PF.

 2) I added extra perl code to vlan.pmhttp://vlan.pm (I will move it to vlan 
 custom) that evaluates the SSID when the connection type is 
 WIRELESS_MAC_AUTH.  If the SSID is the guest ID and the current role of the 
 node is not isolation or is not registration, then return the role of guest.

 It is working I would like now.

 Although I have made the code changes and modifications, is/was there another 
 way to do this?

 Lupe



 Lupe Silva



 On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake 
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 What it sounds like is you want the user's role to be re-evaluated on every 
 connection, right?

 How are you assigning the role now?

 In the sources config, do you have a rule that assigns the role based on the 
 SSID?

 I don't know if the rules in your sources config get evaluated every time (it 
 would be nice) and I also don't know if the rules are first-match-exit or 
 fall-through.  But it seems like a good place to start.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDUhttp://WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658tel:254-295-4658
 Phax: 254-295-4221tel:254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.commailto:lupe.si...@gmail.com]
 Sent: Tuesday, June 17, 2014 10:14 AM
 To: 
 packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Thanks for the response.
 My objective is as follows:
 One private SSID for staff and students that uses WPA2/802.1X that assigns to 
 the vlan according to their role.  We have Active Directory and with this 
 setup, users only need to log into their workstations and their roles will be 
 assigned accordingly.

 I want a separate public SSID for guests.  Using the PF Docs, i am creating 
 an open wlan with mac filtering.  I want the guests to use PF portal to give 
 us their name, email, etc  to register their device

Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

[Durand fabrice]

In fact each time pf receive per example a new radius request it try to 
test the rules and if it match then it return the role.

The problem with reévaluate is if the source you define in the secure 
portal profile (Active Directory) is not the same as defined in the 
guest portal profile (email).
Imagine on the secure you have a active directory source and if your 
group membership is staff then we return the staff vlan role.
Now you go on the open ssid and you have to reévaluate but on which 
source ? Email ? your device has never been registered by email so we 
can´t reévaluate.
One option should be unreg the device if you come from another ssid or 
it can be is the source i have used to reg my device is available on 
this portal profile ? Yes - reévaluate, No - Unreg the device.
It´s not really simple and the workflow can be very different for each 
customer.
So it´s why we did valn filter to allow the network admin to make is own 
rules.

Fabrice



Le 2014-06-17 17:43, Sallee, Jake a écrit :
 That sounds great!

 However, will that role be re-evaluated on every connection? That seems to be 
 the sticking point.

 From the example you gave it looks like it hooks into the 
 GetNormalVlanForNode method in which case it would get re-eval'ed on every 
 connection which is exactly what we would like.  I just want to make sure I 
 am reading it correctly.


 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221

 
 From: Durand fabrice [fdur...@inverse.ca]
 Sent: Tuesday, June 17, 2014 4:21 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Hi all,

 in the incoming 4.3 release we introduce vlan filter, the goal of this
 feature is to remove a part of the custom code from vlan/custom.pm to a
 configuration file.
 An example is better than a complex explanation.

 https://github.com/inverse-inc/packetfence/blob/devel/conf/vlan_filters.conf.example

 So with that you can easily force the role to guest on the open ssid
 even if you have been reg on the secure ssid with the staff role.

 Regards
 Fabrice

 Le 2014-06-17 17:09, Sallee, Jake a écrit :
 I think the cleanest solution would be to have the roles re-evaluated on 
 each connection.  Otherwise I think what you are doing is probably the way 
 to do it.

 ***TO THE PF DEVS***

 What is the reasoning behind never re-evaluating the roles assigned to a 
 user?  Is the process particularly resource intensive? If the roles were 
 evaluated on every connection it could make the role mechanic much more 
 powerful.

 For example: I never want anyone on my unencrypted wifi to be on the 
 administrative vlan. I could set a rule that makes the role of anyone who 
 connects to that SSID to my untrusted vlan. The next time that person hit my 
 encrypted wifi they would then be given the vlan their credentials say they 
 should be on.

 Jake Sallee
 Godfather of Bandwidth
 System Engineer
 University of Mary Hardin-Baylor
 WWW.UMHB.EDU

 900 College St.
 Belton, Texas
 76513

 Fone: 254-295-4658
 Phax: 254-295-4221
 
 From: Lupe Silva [lupe.si...@gmail.com]
 Sent: Tuesday, June 17, 2014 3:29 PM
 To: packetfence-users@lists.sourceforge.net
 Subject: Re: [PacketFence-users] Cisco WLC, Private and Public WLANs

 Thanks for the reply.

 Yes, a re-evaluation would have been good.  I did have rules in my sources 
 to define rules on SSID, but like you said, it did not re-evaluate.

 However, after a day of digging through the PF code, I have made a few 
 changes and got something to work.
 1) I changed my WLC radius configuration Acct Call Station ID Type and 
 Auth Call Station ID Type to AP MAC Address:SSID and MAC Delimiter to 
 Colon.  With this change I am now getting SSID info from WLC into PF.

 2) I added extra perl code to vlan.pmhttp://vlan.pm (I will move it to 
 vlan custom) that evaluates the SSID when the connection type is 
 WIRELESS_MAC_AUTH.  If the SSID is the guest ID and the current role of the 
 node is not isolation or is not registration, then return the role of guest.

 It is working I would like now.

 Although I have made the code changes and modifications, is/was there 
 another way to do this?

 Lupe



 Lupe Silva



 On Tue, Jun 17, 2014 at 12:29 PM, Sallee, Jake 
 jake.sal...@umhb.edumailto:jake.sal...@umhb.edu wrote:
 What it sounds like is you want the user's role to be re-evaluated on every 
 connection, right?

 How are you assigning the role now?

 In the sources config, do you have a rule that assigns the role based on the 
 SSID?

 I don't know if the rules in your sources config get evaluated every time 
 (it would be nice) and I also don't know if the rules are first-match-exit 
 or fall-through.  But it seems like a good place to start.

 Jake Sallee
 Godfather

Re: [PacketFence-users] Cisco WLC 5508 Firmware

[Lupe Silva]

In following the documentation, I have setup the Secure SSID and Public
SSID.  Secure is working fine.  The public does not seem to work.  It
appears that packet fence is sending the appropriate vlan  via radius to
the WLC, but the device running on the public don't seem to connect.  I
suspect they don't seem to get a dhcp address.  The DHCP is working.


Lupe Silva



On Mon, May 26, 2014 at 3:06 PM, Derek Wuelfrath dwuelfr...@inverse.cawrote:

 If you explain what kind of issues you are having, that would help.

 Cheers!
 dw.

 --
 Derek Wuelfrath
 dwuelfr...@inverse.ca :: www.inverse.ca
 +1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
 www.packetfence.org)

 On May 23, 2014, at 6:21 PM, Lupe Silva lupe.si...@gmail.com wrote:

 I am having some issues with the Cisco WLC 5508 and in looking at the
 previous posts, I am wondering if it could be that I have the one of the
 latest firmware on the WLC.
 I am running 7.6.100. I see that 7.6.120 is availaible, however from the
 previous posts it seems that others are running 7.0.x, 7.2.x.  I see that
 7.4.x is also available.

 My WLC came with 7.0 installed and I upgraded 6 months ago before I
 started the Packet Fence setup.

 So, is there a recommended version of the WLC for working best with
 packetfence, 7.0.x, 7.2.x 7.4.x or 7.6.x?


 Lupe Silva

 --
 The best possible search technologies are now affordable for all companies.
 Download your FREE open source Enterprise Search Engine today!
 Our experts will assist you in its installation for $59/mo, no commitment.
 Test it for FREE on our Cloud platform anytime!

 http://pubads.g.doubleclick.net/gampad/clk?id=145328191iu=/4140/ostg.clktrk___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users




 --
 The best possible search technologies are now affordable for all companies.
 Download your FREE open source Enterprise Search Engine today!
 Our experts will assist you in its installation for $59/mo, no commitment.
 Test it for FREE on our Cloud platform anytime!

 http://pubads.g.doubleclick.net/gampad/clk?id=145328191iu=/4140/ostg.clktrk
 ___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 Firmware

[Derek Wuelfrath]

If you explain what kind of issues you are having, that would help.

Cheers!
dw.

--
Derek Wuelfrath
dwuelfr...@inverse.ca :: www.inverse.ca
+1.514.447.4918 (x110) :: +1.866.353.6153 (x110)
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

On May 23, 2014, at 6:21 PM, Lupe Silva lupe.si...@gmail.com wrote:

 I am having some issues with the Cisco WLC 5508 and in looking at the 
 previous posts, I am wondering if it could be that I have the one of the 
 latest firmware on the WLC.
 I am running 7.6.100. I see that 7.6.120 is availaible, however from the 
 previous posts it seems that others are running 7.0.x, 7.2.x.  I see that 
 7.4.x is also available.  
 
 My WLC came with 7.0 installed and I upgraded 6 months ago before I started 
 the Packet Fence setup.  
 
 So, is there a recommended version of the WLC for working best with 
 packetfence, 7.0.x, 7.2.x 7.4.x or 7.6.x?
 
 
 Lupe Silva
 
 --
 The best possible search technologies are now affordable for all companies.
 Download your FREE open source Enterprise Search Engine today!
 Our experts will assist you in its installation for $59/mo, no commitment.
 Test it for FREE on our Cloud platform anytime!
 http://pubads.g.doubleclick.net/gampad/clk?id=145328191iu=/4140/ostg.clktrk___
 PacketFence-users mailing list
 PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191iu=/4140/ostg.clktrk___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC Radius accounting issue

[Francois Gaudreault]

Look in your WLC settings, you need to send the System MAC, not IP 
Address.  I don't remember exactly where this setting is located tho, 
but it should be around the accounting or radius settings.


Francois

On 2013-04-12 1:47 PM, Ables, Jamison (Newark City Schools) wrote:
Thanks, that fixed it! For the record we are not using our WLCs for 
DHCP or even DHCP relay/proxy. We are running that on a separate 
server for now. Keep up the great work!


Thanks,
Jamison Ables
Deputy Network Coordinator
Newark City Schools
Phone:  740-670-7066

From: Fabrice DURAND fdur...@inverse.ca mailto:fdur...@inverse.ca
Reply-To: packetfence-users@lists.sourceforge.net 
mailto:packetfence-users@lists.sourceforge.net

Date: Fri, 12 Apr 2013 13:20:54 -0400
To: packetfence-users@lists.sourceforge.net 
mailto:packetfence-users@lists.sourceforge.net

Subject: Re: [PacketFence-users] Cisco WLC Radius accounting issue

Hello Jamison,
i have already met this issue and i think it´s because your controller 
is the dhcp server.

To fix that you have to play in radius configuration.

First add in the policy file (/usr/local/pf/raddb/policy.conf) these 
lines:

 #  Add rewrite.calling_station_id_accounting in the account section.
 #
 rewrite.calling_station_id_accounting {
 if ((Acct-Session-Id)  %{Acct-Session-Id} =~ 
/^[^\/]+\/([^\/]+)\/.*/i) {
 update request {
 Calling-Station-Id := %{1}
 }
 updated
 }
 else {
noop
 }
 }

And in /usr/local/pf/raddb/site-available/packetfence file in the 
accounting section:


accounting {
 rewrite.calling_station_id_accounting
 sql
 attr_filter.accounting_response
}

Then restart packetfence

RegardsFabrice



Le 2013-04-12 13:06, Ables, Jamison (Newark City Schools) a écrit :

Hello,

We have an issue where our radius accounting information comes back into
PacketFence int the form of IP addresses instead of the MAC address. We
are not sure where this issue is but likely an issue with the WLC. We have
tried multiple code versions from 6.X to 7.4 and none of them have
corrected this issue. Is there any logging or debugging that we could turn
on that might help with this? We are running PacketFence 3.6.1.

Thanks,
Jamison Ables
Deputy Network Coordinator
Newark City Schools
Phone:  740-670-7066


  PLEASE NOTE:: This message and any response to it may constitute a public 
record, and therefore may be available upon request in accordance with Ohio 
public records law. (ORC 149.43)

This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain private, confidential, and/or privileged 
information. Any unauthorized review, use, disclosure, or distribution is 
prohibited. If you are not the intended recipient, employee, or agent 
responsible for delivering this message, please contact the sender by reply 
e-mail and destroy all copies of the original e-mail message.

--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free 
account!http://www2.precog.com/precogplatform/slashdotnewsletter
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca  ::  +1.514.447.4918 (x135) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)
-- 
Precog is a next-generation analytics platform capable of advanced 
analytics on semi-structured data. The platform includes APIs for 
building apps and a phenomenal toolset for data science. Developers 
can use our toolset for easy data analysis  visualization. Get a free 
account!http://www2.precog.com/precogplatform/slashdotnewsletter___ 
PacketFence-users mailing list PacketFence-users@lists.sourceforge.net 
mailto:PacketFence-users@lists.sourceforge.net 
https://lists.sourceforge.net/lists/listinfo/packetfence-users 
https://lists.sourceforge.net/lists/listinfo/packetfence-users


PLEASE NOTE:: This message and any response to it may constitute a 
public record, and therefore may be available upon request in 
accordance with Ohio public records law. (ORC 149.43) This e-mail 
message, including any attachments, is for the sole use of the 
intended

Re: [PacketFence-users] Cisco WLC Radius accounting issue

[Fabrice DURAND]

Hello Jamison,
i have already met this issue and i think it´s because your controller 
is the dhcp server.

To fix that you have to play in radius configuration.

First add in the policy file (/usr/local/pf/raddb/policy.conf) these lines:

#  Add rewrite.calling_station_id_accounting in the account section.
#
rewrite.calling_station_id_accounting {
if ((Acct-Session-Id)  %{Acct-Session-Id} =~ 
/^[^\/]+\/([^\/]+)\/.*/i) {
update request {
Calling-Station-Id := %{1}
}
updated
}
else {
   noop
}
}

And in /usr/local/pf/raddb/site-available/packetfence file in the 
accounting section:


accounting {
rewrite.calling_station_id_accounting
sql
attr_filter.accounting_response
}

Then restart packetfence

Regards
Fabrice




Le 2013-04-12 13:06, Ables, Jamison (Newark City Schools) a écrit :

Hello,

We have an issue where our radius accounting information comes back into
PacketFence int the form of IP addresses instead of the MAC address. We
are not sure where this issue is but likely an issue with the WLC. We have
tried multiple code versions from 6.X to 7.4 and none of them have
corrected this issue. Is there any logging or debugging that we could turn
on that might help with this? We are running PacketFence 3.6.1.

Thanks,
Jamison Ables
Deputy Network Coordinator
Newark City Schools
Phone:  740-670-7066


  PLEASE NOTE:: This message and any response to it may constitute a public 
record, and therefore may be available upon request in accordance with Ohio 
public records law. (ORC 149.43)

This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain private, confidential, and/or privileged 
information. Any unauthorized review, use, disclosure, or distribution is 
prohibited. If you are not the intended recipient, employee, or agent 
responsible for delivering this message, please contact the sender by reply 
e-mail and destroy all copies of the original e-mail message.

--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC Radius accounting issue

[Ables, Jamison (Newark City Schools)]

Thanks, that fixed it! For the record we are not using our WLCs for DHCP or 
even DHCP relay/proxy. We are running that on a separate server for now. Keep 
up the great work!

Thanks,
Jamison Ables
Deputy Network Coordinator
Newark City Schools
Phone:  740-670-7066

From: Fabrice DURAND fdur...@inverse.camailto:fdur...@inverse.ca
Reply-To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Date: Fri, 12 Apr 2013 13:20:54 -0400
To: 
packetfence-users@lists.sourceforge.netmailto:packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC Radius accounting issue

Hello Jamison,
i have already met this issue and i think it´s because your controller is the 
dhcp server.
To fix that you have to play in radius configuration.

First add in the policy file (/usr/local/pf/raddb/policy.conf) these lines:

#  Add rewrite.calling_station_id_accounting in the account section.
#
rewrite.calling_station_id_accounting {
if ((Acct-Session-Id)  %{Acct-Session-Id} =~ 
/^[^\/]+\/([^\/]+)\/.*/i) {
update request {
Calling-Station-Id := %{1}
}
updated
}
else {
   noop
}
}



And in /usr/local/pf/raddb/site-available/packetfence file in the accounting 
section:


accounting {
rewrite.calling_station_id_accounting
sql
attr_filter.accounting_response
}



Then restart packetfence

RegardsFabrice



Le 2013-04-12 13:06, Ables, Jamison (Newark City Schools) a écrit :

Hello,

We have an issue where our radius accounting information comes back into
PacketFence int the form of IP addresses instead of the MAC address. We
are not sure where this issue is but likely an issue with the WLC. We have
tried multiple code versions from 6.X to 7.4 and none of them have
corrected this issue. Is there any logging or debugging that we could turn
on that might help with this? We are running PacketFence 3.6.1.

Thanks,
Jamison Ables
Deputy Network Coordinator
Newark City Schools
Phone:  740-670-7066


 PLEASE NOTE:: This message and any response to it may constitute a public 
record, and therefore may be available upon request in accordance with Ohio 
public records law. (ORC 149.43)

This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain private, confidential, and/or privileged 
information. Any unauthorized review, use, disclosure, or distribution is 
prohibited. If you are not the intended recipient, employee, or agent 
responsible for delivering this message, please contact the sender by reply 
e-mail and destroy all copies of the original e-mail message.

--
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis  visualization. Get a free 
account!http://www2.precog.com/precogplatform/slashdotnewsletter
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Fabrice Durand
fdur...@inverse.camailto:fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  
www.inverse.cahttp://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

-- 
Precog is a next-generation analytics platform capable of advanced analytics on 
semi-structured data. The platform includes APIs for building apps and a 
phenomenal toolset for data science. Developers can use our toolset for easy 
data analysis  visualization. Get a free 
account!http://www2.precog.com/precogplatform/slashdotnewsletter___
 PacketFence-users mailing list 
PacketFence-users@lists.sourceforge.netmailto:PacketFence-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/packetfence-users

PLEASE NOTE:: This message and any response to it may constitute a public 
record, and therefore may be available upon request in accordance with Ohio 
public records law. (ORC 149.43)

This e-mail message, including any attachments, is for the sole use of the 
intended recipient(s) and may contain private, confidential, and/or privileged 
information. Any unauthorized review, use, disclosure, or distribution is 
prohibited. If you are not the intended recipient, employee, or agent 
responsible for delivering this message, please contact the sender by reply 
e-mail and destroy

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Can't have them in both files, or the sql db bombs out stating duplicate entry. 

As far as I can tell pf modifies client.conf upon load adding all of the 
switches in switch.conf as a client.

- Original Message -
From: Brian Candler [mailto:b.cand...@pobox.com]
Sent: Tuesday, October 23, 2012 12:35 AM
To: packetfence-users@lists.sourceforge.net 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

On Mon, Oct 22, 2012 at 07:51:25PM +, Thomas Tsai wrote:
 I see where I went wrong.  I had added the client into the client.conf file, 
 which you had mentioned is in the admin guide on several other postings.

The secret in clients.conf is needed for the 802.1x authentication requests
which come from AP to FreeRADIUS.

The secret in switches.conf is needed for the CoA requests which come from
PF radclient to the AP.

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

**
Email Disclaimer:

This email, including attachments, may contain 
proprietary, confidential or privileged information. If you 
are not the intended recipient, please (i) do not use, 
disclose, save or retransmit this message or any 
attachments, (ii) alert the sender by reply email and (iii) 
destroy or delete this message and any attachments. 
Delivery of this email to a person other than the intended 
recipient(s) shall not constitute a waiver of privilege or 
confidentiality.

CP Investments, member FINRA and SIPC, serves as 
placement agent for investment products advised by 
Canyon Capital Advisors LLC. This email is not intended to 
be an offer to sell or a solicitation of an offer to buy any 
security in any jurisdiction. We review and retain 
electronic communications traveling through our network.

**

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Francois Gaudreault]

 The secret in clients.conf is needed for the 802.1x authentication requests
 which come from AP to FreeRADIUS.

 The secret in switches.conf is needed for the CoA requests which come from
 PF radclient to the AP.
You are wrong. Since a while now (3.3.0 on top of my head), the RADIUS 
NAS are handled in a SQL table and need to be set in switches.conf.

This is all documented.

-- 
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Francois Gaudreault]

I still continue to believe a wrong shared secret.  Do you have special 
chars in your secret?

On 2012-10-22 11:49 AM, Thomas Tsai wrote:
 Bump.

 Thomas Tsai, CISSP
 Sr. Systems Engineer
 Canyon Partners, LLC
 tt...@canyonpartners.com
 +1.310.272.1746 (o)
 +1.310.600.6651 (c)


 *From*: Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent*: Friday, October 19, 2012 11:04 AM
 *To*: 'packetfence-users@lists.sourceforge.net'
 packetfence-users@lists.sourceforge.net
 *Subject*: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 Cisco has issued me a firmware 7.2.110.10 that has fixed the
 deauthentication issue on their WLC.  This was tested using a third
 party client, called radtest (v2.6) and has been tested to be working now.

 This is what happens now:

 1) laptop connects via WIFI to a SSID managed through PF (radius).

 2) laptop is thrown into PF registration network

 3) Upon successful portal registration, PF attempts to send deauth
 request to WLC

 4) WLC receives deauth request, but rejects with the following error:

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
 Authenticator(recv'd) - *31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
 Authenticator(calc'd) - *8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid RADIUS
 message authenticator

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid message
 authenticator received in 'RFC-3576 Disconnect-Request' from
 PACKETFENCE IP

 I have triple checked that my radius key in clients.conf on the PF
 server matches the key in WLC.  (It does since I can do the initial
 authentication onto the network.)

 But the authenticator is incorrect.  Any suggestions?  This is a very
 odd behavior.

 -Original Message-
 From: Thomas Tsai
 Sent: Friday, October 05, 2012 4:53 PM
 To: 'packetfence-users@lists.sourceforge.net'
 Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 Update:  It's enabled, but it isn’t working.

 I took packetfence out of the mix, and assumed it was the WLC, so I went
 to hunt for a way to test COA/Deauth on a WLC5500.

 https://supportforums.cisco.com/docs/DOC-8473

 Here is an article to a PDF document describing how to do this, with
 radtest 2.6.

 Will provide updates as they are avail.

 -Original Message-

 From: Thomas Tsai

 Sent: Friday, October 05, 2012 4:14 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 Hi David.  Thx for chiming in here.  Yes,  by default it's enabled, but
 I just went back in to double check -- it's enabled.

 -Original Message-

 From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu]
 mailto:[mailto:dgbula...@indianatech.edu]

 Sent: Friday, October 05, 2012 1:48 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 Thomas,

 Is your WLC set to use RFC 3576?  I believe when that is not enabled
 that is the message that the WLC returns when you send the COA/DeAuth.

 David Bulanda

 Network Services Manager

 dgbula...@indianatech.edu mailto:dgbula...@indianatech.edu

 Indiana Tech

 -Original Message-

 From: Thomas Tsai [mailto:tt...@canyonpartners.com]
 mailto:[mailto:tt...@canyonpartners.com]

 Sent: Friday, October 05, 2012 3:39 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 I'm a little lost - how can this be a radius shared secret issue if the
 WLC can contact the freeradius2 server to perform the initial
 authentication, but then fail during deauth?  Are these settings
 separate from one another?  IT does not seem like they would be.

 -Original Message-

 From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca]
 mailto:[mailto:fgaudrea...@inverse.ca]

 Sent: Friday, October 05, 2012 12:19 PM

 To: packetfence-users@lists.sourceforge.net
 mailto:packetfence-users@lists.sourceforge.net

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 Well this is a shared secret issue, so make sure they are right...

 sometimes there is a trailing character at the end.

 If you run in HA, make sure the VIP is listed in the AAA server list on
 your WLC.

 On 2012-10-05 2:52 PM, Thomas Tsai wrote:

   Bump - can anyone offer any suggestions as to how to troubleshoot this

   particular problem?

  

   *From:*Thomas Tsai [mailto:tt...@canyonpartners.com]
 mailto:[mailto:tt...@canyonpartners.com]

   *Sent:* Thursday, October 04, 2012 7:11 PM

   *To:* 'packetfence-users@lists.sourceforge.net'

   *Subject:* [PacketFence-users] Cisco WLC

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Rich Graves]

 Also, if it's a wrong shared secret,  the initial authentication request
 via WLC (not deauth), would fail as well.  But it does not. 

 Am I incorrect in thinking this?

Possibly. The authentication request goes from WLC to PacketFence. The CoA goes 
from PacketFence to WLC. I don't have a WLC, but it's quite possible that the 
shared secrets need to be configured in different places. With my Aruba 
hardware, I use different shared secrets for RADIUS auth and CoA.

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Francois Gaudreault]

On 2012-10-22 2:27 PM, Thomas Tsai wrote:
 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(recv'd) -
*31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

*radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(calc'd) -
*8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*
Well the calculated Authenticator value is not the same as the received 
Authenticator value... So something is Wrong.

Did you put the radiusSecret in your switches.conf for your device?  Do 
you see it in the radius nas table in the PF database? Do you use HA 
(aka having a VIP)?

-- 
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Francois,

FWIW, I read other freeradius forums regarding 64bit platforms (Which I'm 
using) where some versions fails to correctly calculate the md5 checksum.

I wonder if this is the issue.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Monday, October 22, 2012 11:19 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

I still continue to believe a wrong shared secret.  Do you have special chars 
in your secret?

On 2012-10-22 11:49 AM, Thomas Tsai wrote:
 Bump.

 Thomas Tsai, CISSP
 Sr. Systems Engineer
 Canyon Partners, LLC
 tt...@canyonpartners.com
 +1.310.272.1746 (o)
 +1.310.600.6651 (c)


 *From*: Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent*: Friday, October 19, 2012 11:04 AM
 *To*: 'packetfence-users@lists.sourceforge.net'
 packetfence-users@lists.sourceforge.net
 *Subject*: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Cisco has issued me a firmware 7.2.110.10 that has fixed the 
 deauthentication issue on their WLC.  This was tested using a third 
 party client, called radtest (v2.6) and has been tested to be working now.

 This is what happens now:

 1) laptop connects via WIFI to a SSID managed through PF (radius).

 2) laptop is thrown into PF registration network

 3) Upon successful portal registration, PF attempts to send deauth 
 request to WLC

 4) WLC receives deauth request, but rejects with the following error:

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
 Authenticator(recv'd) - 
 *31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
 Authenticator(calc'd) - 
 *8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid RADIUS 
 message authenticator

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid message 
 authenticator received in 'RFC-3576 Disconnect-Request' from 
 PACKETFENCE IP

 I have triple checked that my radius key in clients.conf on the PF 
 server matches the key in WLC.  (It does since I can do the initial 
 authentication onto the network.)

 But the authenticator is incorrect.  Any suggestions?  This is a very 
 odd behavior.

 -Original Message-
 From: Thomas Tsai
 Sent: Friday, October 05, 2012 4:53 PM
 To: 'packetfence-users@lists.sourceforge.net'
 Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Update:  It's enabled, but it isn't working.

 I took packetfence out of the mix, and assumed it was the WLC, so I 
 went to hunt for a way to test COA/Deauth on a WLC5500.

 https://supportforums.cisco.com/docs/DOC-8473

 Here is an article to a PDF document describing how to do this, with 
 radtest 2.6.

 Will provide updates as they are avail.

 -Original Message-

 From: Thomas Tsai

 Sent: Friday, October 05, 2012 4:14 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Hi David.  Thx for chiming in here.  Yes,  by default it's enabled, 
 but I just went back in to double check -- it's enabled.

 -Original Message-

 From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu]
 mailto:[mailto:dgbula...@indianatech.edu]

 Sent: Friday, October 05, 2012 1:48 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Thomas,

 Is your WLC set to use RFC 3576?  I believe when that is not enabled 
 that is the message that the WLC returns when you send the COA/DeAuth.

 David Bulanda

 Network Services Manager

 dgbula...@indianatech.edu mailto:dgbula...@indianatech.edu

 Indiana Tech

 -Original Message-

 From: Thomas Tsai [mailto:tt...@canyonpartners.com] 
 mailto:[mailto:tt...@canyonpartners.com]

 Sent: Friday, October 05, 2012 3:39 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 I'm a little lost - how can this be a radius shared secret issue if 
 the WLC can contact the freeradius2 server to perform the initial 
 authentication, but then fail during deauth?  Are these settings 
 separate from one another?  IT does not seem like they would be.

 -Original Message-

 From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
 mailto:[mailto:fgaudrea...@inverse.ca]

 Sent: Friday, October 05, 2012 12:19 PM

 To: packetfence-users@lists.sourceforge.net
 mailto:packetfence-users@lists.sourceforge.net

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Well this is a shared secret issue, so make sure they are right...

 sometimes

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Francois,

I think I found the smoking gun.  It's a problem with freeradius.

I am using FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built 
on Jun 22 2012 at 11:13:32, which was included with latest PF distribution.

Per http://freeradius.org/ , v2.20 fixes the following BUG:

*Correct calculation of Message-Authenticator for CoA and Disconnect replies. 
Patch from Jouni Malinen


Can I upgrade radius v2.20 without breaking PF?  Or is that something you guys 
need to review?

-Original Message-
From: Thomas Tsai [mailto:tt...@canyonpartners.com] 
Sent: Monday, October 22, 2012 11:47 AM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Francois,

FWIW, I read other freeradius forums regarding 64bit platforms (Which I'm 
using) where some versions fails to correctly calculate the md5 checksum.

I wonder if this is the issue.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca]
Sent: Monday, October 22, 2012 11:19 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

I still continue to believe a wrong shared secret.  Do you have special chars 
in your secret?

On 2012-10-22 11:49 AM, Thomas Tsai wrote:
 Bump.

 Thomas Tsai, CISSP
 Sr. Systems Engineer
 Canyon Partners, LLC
 tt...@canyonpartners.com
 +1.310.272.1746 (o)
 +1.310.600.6651 (c)


 *From*: Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent*: Friday, October 19, 2012 11:04 AM
 *To*: 'packetfence-users@lists.sourceforge.net'
 packetfence-users@lists.sourceforge.net
 *Subject*: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Cisco has issued me a firmware 7.2.110.10 that has fixed the 
 deauthentication issue on their WLC.  This was tested using a third 
 party client, called radtest (v2.6) and has been tested to be working now.

 This is what happens now:

 1) laptop connects via WIFI to a SSID managed through PF (radius).

 2) laptop is thrown into PF registration network

 3) Upon successful portal registration, PF attempts to send deauth 
 request to WLC

 4) WLC receives deauth request, but rejects with the following error:

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
 Authenticator(recv'd) -
 *31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
 Authenticator(calc'd) -
 *8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid RADIUS 
 message authenticator

 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Invalid message 
 authenticator received in 'RFC-3576 Disconnect-Request' from 
 PACKETFENCE IP

 I have triple checked that my radius key in clients.conf on the PF 
 server matches the key in WLC.  (It does since I can do the initial 
 authentication onto the network.)

 But the authenticator is incorrect.  Any suggestions?  This is a very 
 odd behavior.

 -Original Message-
 From: Thomas Tsai
 Sent: Friday, October 05, 2012 4:53 PM
 To: 'packetfence-users@lists.sourceforge.net'
 Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Update:  It's enabled, but it isn't working.

 I took packetfence out of the mix, and assumed it was the WLC, so I 
 went to hunt for a way to test COA/Deauth on a WLC5500.

 https://supportforums.cisco.com/docs/DOC-8473

 Here is an article to a PDF document describing how to do this, with 
 radtest 2.6.

 Will provide updates as they are avail.

 -Original Message-

 From: Thomas Tsai

 Sent: Friday, October 05, 2012 4:14 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Hi David.  Thx for chiming in here.  Yes,  by default it's enabled, 
 but I just went back in to double check -- it's enabled.

 -Original Message-

 From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu]
 mailto:[mailto:dgbula...@indianatech.edu]

 Sent: Friday, October 05, 2012 1:48 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 Thomas,

 Is your WLC set to use RFC 3576?  I believe when that is not enabled 
 that is the message that the WLC returns when you send the COA/DeAuth.

 David Bulanda

 Network Services Manager

 dgbula...@indianatech.edu mailto:dgbula...@indianatech.edu

 Indiana Tech

 -Original Message-

 From: Thomas Tsai [mailto:tt...@canyonpartners.com] 
 mailto:[mailto:tt...@canyonpartners.com]

 Sent: Friday, October 05, 2012 3:39 PM

 To: 'packetfence-users@lists.sourceforge.net'

 Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Actually I did not put radiusSecret in switches.conf.  Let me try that now.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Monday, October 22, 2012 11:39 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

On 2012-10-22 2:27 PM, Thomas Tsai wrote:
 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(recv'd) -
*31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

*radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(calc'd) -
*8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*
Well the calculated Authenticator value is not the same as the received 
Authenticator value... So something is Wrong.

Did you put the radiusSecret in your switches.conf for your device?  Do you see 
it in the radius nas table in the PF database? Do you use HA (aka having a VIP)?

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca Inverse 
inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite for free 
today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

**
Email Disclaimer:

This email, including attachments, may contain 
proprietary, confidential or privileged information. If you 
are not the intended recipient, please (i) do not use, 
disclose, save or retransmit this message or any 
attachments, (ii) alert the sender by reply email and (iii) 
destroy or delete this message and any attachments. 
Delivery of this email to a person other than the intended 
recipient(s) shall not constitute a waiver of privilege or 
confidentiality.

CP Investments, member FINRA and SIPC, serves as 
placement agent for investment products advised by 
Canyon Capital Advisors LLC. This email is not intended to 
be an offer to sell or a solicitation of an offer to buy any 
security in any jurisdiction. We review and retain 
electronic communications traveling through our network.

**

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Brian Candler]

On Mon, Oct 22, 2012 at 06:50:57PM +, Thomas Tsai wrote:
 I think I found the smoking gun.  It's a problem with freeradius.
 
 I am using FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built 
 on Jun 22 2012 at 11:13:32, which was included with latest PF distribution.
 
 Per http://freeradius.org/ , v2.20 fixes the following BUG:
 
 *Correct calculation of Message-Authenticator for CoA and Disconnect replies. 
 Patch from Jouni Malinen

That only changes the calculation of the authenticator for *replies*,
i.e. PW_DISCONNECT_ACK, PW_DISCONNECT_NAK, PW_COA_ACK, PW_COA_NAK

and therefore AFAICS this would only affect things if you were sending a CoA
request *to* a FreeRADIUS server, and FreeRADIUS were sending back the
respoinse.

If you had not put any shared secret into switches.conf, then I'm pretty
sure that radclient would have been unable to send the CoA packet with the
right secret. At best it would have signed it with an empty secret.

 Can I upgrade radius v2.20 without breaking PF?  Or is that something you 
 guys need to review?

(You mean 2.2.0)

It was posted to this list a few days ago that you could, so by all means go
ahead, but I don't think that's your problem.

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

I see where I went wrong.  I had added the client into the client.conf file, 
which you had mentioned is in the admin guide on several other postings.

I removed it from the clients.conf file and added the secret to the 
switches.conf file.

Now, when I try to connect to the SSID, it fails outright -- whereas when I had 
it in clients.conf, I was able to at least connect.  When I run radiusd -X here 
is the output:

Received packet from [packetfence IP] with invalid Message-Authenticator!  
(Shared secret is incorrect.) Dropping packet without response.

Any ideas?  I'm 100% the key is typed in correctly

-Original Message-
From: Thomas Tsai 
Sent: Monday, October 22, 2012 11:54 AM
To: 'packetfence-users@lists.sourceforge.net'
Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Actually I did not put radiusSecret in switches.conf.  Let me try that now.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Monday, October 22, 2012 11:39 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

On 2012-10-22 2:27 PM, Thomas Tsai wrote:
 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(recv'd) -
*31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

*radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(calc'd) -
*8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*
Well the calculated Authenticator value is not the same as the received 
Authenticator value... So something is Wrong.

Did you put the radiusSecret in your switches.conf for your device?  Do you see 
it in the radius nas table in the PF database? Do you use HA (aka having a VIP)?

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca Inverse 
inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite for free 
today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

**
Email Disclaimer:

This email, including attachments, may contain 
proprietary, confidential or privileged information. If you 
are not the intended recipient, please (i) do not use, 
disclose, save or retransmit this message or any 
attachments, (ii) alert the sender by reply email and (iii) 
destroy or delete this message and any attachments. 
Delivery of this email to a person other than the intended 
recipient(s) shall not constitute a waiver of privilege or 
confidentiality.

CP Investments, member FINRA and SIPC, serves as 
placement agent for investment products advised by 
Canyon Capital Advisors LLC. This email is not intended to 
be an offer to sell or a solicitation of an offer to buy any 
security in any jurisdiction. We review and retain 
electronic communications traveling through our network.

**

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Okay!  Figured it out.  Turns out if I edit the switch.conf file directly via 
CLI it poses a problem, although it looks correct in everything I verify...

So, I edited it from the PF web GUI and that seems to have fixed the problem.  
I'm not sure why this caused an issue

Anyhow, deauthentication now works! Joy!

Thanks Francois.

-Original Message-
From: Thomas Tsai 
Sent: Monday, October 22, 2012 12:51 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

I see where I went wrong.  I had added the client into the client.conf file, 
which you had mentioned is in the admin guide on several other postings.

I removed it from the clients.conf file and added the secret to the 
switches.conf file.

Now, when I try to connect to the SSID, it fails outright -- whereas when I had 
it in clients.conf, I was able to at least connect.  When I run radiusd -X here 
is the output:

Received packet from [packetfence IP] with invalid Message-Authenticator!  
(Shared secret is incorrect.) Dropping packet without response.

Any ideas?  I'm 100% the key is typed in correctly

-Original Message-
From: Thomas Tsai 
Sent: Monday, October 22, 2012 11:54 AM
To: 'packetfence-users@lists.sourceforge.net'
Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Actually I did not put radiusSecret in switches.conf.  Let me try that now.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Monday, October 22, 2012 11:39 AM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

On 2012-10-22 2:27 PM, Thomas Tsai wrote:
 *radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(recv'd) -
*31:42:70:62:b8:0e:0e:ea:a3:ef:01:1e:fa:c5:58:5a*

*radiusRFC3576TransportThread: Oct 19 11:02:14.140: Request
Authenticator(calc'd) -
*8e:5f:11:72:7e:f4:28:bf:02:e9:8e:18:ce:e2:97:44*
Well the calculated Authenticator value is not the same as the received 
Authenticator value... So something is Wrong.

Did you put the radiusSecret in your switches.conf for your device?  Do you see 
it in the radius nas table in the PF database? Do you use HA (aka having a VIP)?

--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca Inverse 
inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite for free 
today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

**
Email Disclaimer:

This email, including attachments, may contain 
proprietary, confidential or privileged information. If you 
are not the intended recipient, please (i) do not use, 
disclose, save or retransmit this message or any 
attachments, (ii) alert the sender by reply email and (iii) 
destroy or delete this message and any attachments. 
Delivery of this email to a person other than the intended 
recipient(s) shall not constitute a waiver of privilege or 
confidentiality.

CP Investments, member FINRA and SIPC, serves as 
placement agent for investment products advised by 
Canyon Capital Advisors LLC. This email is not intended to 
be an offer to sell or a solicitation of an offer to buy any 
security in any jurisdiction. We review and retain 
electronic communications traveling through our network.

**

--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Bump - can anyone offer any suggestions as to how to troubleshoot this 
particular problem?

From: Thomas Tsai [mailto:tt...@canyonpartners.com]
Sent: Thursday, October 04, 2012 7:11 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS 
message authenticator

When packetfence attempts to deauth/COA via radius on a WLC, the following 
error appears on the WLC: Invalid RADIUS message authenticator

A quick search yields some wisdom that Olivier provided with someone with a 
remote similar issue.
http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908

I have confirmed that I am running firmware 7.2.110.0 on the WLC, so this 
should work.  (Radius Disconnect)

I spot the issue below, but I am uncertain why the message authenticator is 
invalid. Am I doing something wrong?

PACKETFENCE.LOG:

Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog connected 
at WLC IP ifIndex 13 in VLAN REG_VLAN 
(pf::enforcement::_should_we_reassign_vlan)
Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? 1 -- 
value =  (pf::vlan::custom::getNormalVlan)
Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID: username, 
Status: reg. Returned VLAN: NORMAL_VLAN (pf::vlan::fetchVlanForNode)
Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for 
00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN NORMAL_VLAN) 
(pf::enforcement::_should_we_reassign_vlan)
Oct 04 18:37:39 register.cgi(0) INFO: switch port for 00:88:10:88:59:88 is WLC 
IP ifIndex 13 connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless 802.1x 
user, this might not work depending on hardware support. If its your case 
please file a bug (pf::enforcement::_vlan_reevaluation)
Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on 
registration page 
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 requested an IP. 
DHCP Fingerprint: OS::109 (Microsoft Windows 8). Modified node with last_dhcp = 
2012-10-04 18:37:40,computername = LAPTOPNAME,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,121,249,252,43 (main::listen_dhcp)
Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254 
(00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 seconds 
(main::parse_dhcp_ack)
Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch WLC IP 
(main::parseTrap)
Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads 
running: 0 (main::startTrapHandlers)
Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on WLC IP for 
wireless client 00:88:10:88:59:88 (main::handleTrap)
Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication of a 802.1x 
MAC (main::)

Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 requested an IP. 
DHCP Fingerprint: OS::109 (Microsoft Windows 8). Modified node with last_dhcp = 
2012-10-04 18:37:50,computername = LAPTOPNAME,dhcp_fingerprint = 
1,15,3,6,44,46,47,31,33,121,249,252,43 (main::listen_dhcp)
Oct 04 18:37:50 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254 
(00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 seconds 
(main::parse_dhcp_ack)
Oct 04 18:37:52 pfcmd_vlan(26918) WARN: Unable to perform RADIUS 
Disconnect-Request: Timeout waiting for a reply from WLC IP on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm line 160. (pf::SNMP::__ANON__)
Oct 04 18:37:52 pfcmd_vlan(26918) ERROR: Wrong RADIUS secret or unreachable 
network device... (pf::SNMP::__ANON__)
Oct 04 18:37:52 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)


WLC5508 radius debug log:

*radiusTransportThread: Oct 05 02:05:02.680: Enter processIncomingMessages: 
response code=5
*radiusTransportThread: Oct 05 02:05:02.680: Enter processRadiusResponse: 
response code=5
*radiusTransportThread: Oct 05 02:05:02.680: 00:27:10:41:59:60 
Accounting-Response received from RADIUS server PACKETFENCE IP for mobile 
00:88:10:88:59:88 receiveId = 0
*radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid RADIUS message 
authenticator
*radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid message 
authenticator received in 'RFC-3576 Disconnect-Request' from PACKETFENCE IP



**

Email Disclaimer:



This email, including attachments, may contain

proprietary, confidential or privileged information. If you

are not the intended recipient, please (i) do not use,

disclose, save or retransmit this message or any

attachments, (ii) alert the sender by reply email and (iii)

destroy or delete this message and any attachments.

Delivery of this email to a person other than the intended

recipient(s) shall not constitute a waiver of privilege or

confidentiality.



CP Investments, member FINRA 

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Francois Gaudreault]

Well this is a shared secret issue, so make sure they are right... 
sometimes there is a trailing character at the end.

If you run in HA, make sure the VIP is listed in the AAA server list on 
your WLC.

On 2012-10-05 2:52 PM, Thomas Tsai wrote:
 Bump – can anyone offer any suggestions as to how to troubleshoot this
 particular problem?

 *From:*Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent:* Thursday, October 04, 2012 7:11 PM
 *To:* 'packetfence-users@lists.sourceforge.net'
 *Subject:* [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue -
 Invalid RADIUS message authenticator

 When packetfence attempts to deauth/COA via radius on a WLC, the
 following error appears on the WLC: *Invalid RADIUS message authenticator*

 A quick search yields some wisdom that Olivier provided with someone
 with a remote similar issue.

 http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908

 I have confirmed that I am running firmware 7.2.110.0 on the WLC, so
 this should work.  (Radius Disconnect)

 I spot the issue below, but I am uncertain why the message authenticator
 is invalid. Am I doing something wrong?

 *_PACKETFENCE.LOG:_*

 *__*

 Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog
 connected at WLC IP ifIndex 13 in VLAN REG_VLAN
 (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? 1
 -- value =  (pf::vlan::custom::getNormalVlan)

 Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID:
 username, Status: reg. Returned VLAN: NORMAL_VLAN
 (pf::vlan::fetchVlanForNode)

 Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for
 00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN
 NORMAL_VLAN) (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: switch port for 00:88:10:88:59:88
 is WLC IP ifIndex 13 connection type: WiFi 802.1X
 (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless
 802.1x user, this might not work depending on hardware support. If its
 your case please file a bug (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on
 registration page
 (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 requested
 an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). Modified node
 with last_dhcp = 2012-10-04 18:37:40,computername =
 LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43
 (main::listen_dhcp)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
 (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 seconds
 (main::parse_dhcp_ack)

 Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
 WLC IP (main::parseTrap)

 Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
 threads running: 0 (main::startTrapHandlers)

 Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on WLC
 IP for wireless client 00:88:10:88:59:88 (main::handleTrap)

 Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication of a
 802.1x MAC (main::)

 Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 requested
 an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). Modified node
 with last_dhcp = 2012-10-04 18:37:50,computername =
 LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43
 (main::listen_dhcp)

 Oct 04 18:37:50 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
 (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 seconds
 (main::parse_dhcp_ack)

 *Oct 04 18:37:52 pfcmd_vlan(26918) WARN: Unable to perform RADIUS
 Disconnect-Request: Timeout waiting for a reply from WLC IP on port
 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. (pf::SNMP::__ANON__)*

 *Oct 04 18:37:52 pfcmd_vlan(26918) ERROR: Wrong RADIUS secret or
 unreachable network device... (pf::SNMP::__ANON__)*

 Oct 04 18:37:52 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)

 *_WLC5508 radius debug log:_*

 *radiusTransportThread: Oct 05 02:05:02.680: Enter
 processIncomingMessages: response code=5

 *radiusTransportThread: Oct 05 02:05:02.680: Enter
 processRadiusResponse: response code=5

 *radiusTransportThread: Oct 05 02:05:02.680: 00:27:10:41:59:60
 Accounting-Response received from RADIUS server PACKETFENCE IP for
 mobile 00:88:10:88:59:88 receiveId = 0

 **radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid RADIUS
 message authenticator*

 **radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid message
 authenticator received in 'RFC-3576 Disconnect-Request' from
 PACKETFENCE IP*



 **

 Email Disclaimer:



 This email, including attachments, may contain

 proprietary, confidential or privileged information. If you

 are not the intended recipient, please (i) do 

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

I'm a little lost - how can this be a radius shared secret issue if the WLC can 
contact the freeradius2 server to perform the initial authentication, but then 
fail during deauth?  Are these settings separate from one another?  IT does not 
seem like they would be.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca] 
Sent: Friday, October 05, 2012 12:19 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Well this is a shared secret issue, so make sure they are right... 
sometimes there is a trailing character at the end.

If you run in HA, make sure the VIP is listed in the AAA server list on your 
WLC.

On 2012-10-05 2:52 PM, Thomas Tsai wrote:
 Bump - can anyone offer any suggestions as to how to troubleshoot this 
 particular problem?

 *From:*Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent:* Thursday, October 04, 2012 7:11 PM
 *To:* 'packetfence-users@lists.sourceforge.net'
 *Subject:* [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 When packetfence attempts to deauth/COA via radius on a WLC, the 
 following error appears on the WLC: *Invalid RADIUS message 
 authenticator*

 A quick search yields some wisdom that Olivier provided with someone 
 with a remote similar issue.

 http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908

 I have confirmed that I am running firmware 7.2.110.0 on the WLC, so 
 this should work.  (Radius Disconnect)

 I spot the issue below, but I am uncertain why the message 
 authenticator is invalid. Am I doing something wrong?

 *_PACKETFENCE.LOG:_*

 *__*

 Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog 
 connected at WLC IP ifIndex 13 in VLAN REG_VLAN
 (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? 
 1
 -- value =  (pf::vlan::custom::getNormalVlan)

 Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID:
 username, Status: reg. Returned VLAN: NORMAL_VLAN
 (pf::vlan::fetchVlanForNode)

 Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for
 00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN
 NORMAL_VLAN) (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: switch port for 
 00:88:10:88:59:88 is WLC IP ifIndex 13 connection type: WiFi 802.1X
 (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless 
 802.1x user, this might not work depending on hardware support. If its 
 your case please file a bug (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on 
 registration page
 (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_r
 egister_2ecgi::handler)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 
 requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). 
 Modified node with last_dhcp = 2012-10-04 18:37:40,computername = 
 LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43
 (main::listen_dhcp)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
 (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 
 seconds
 (main::parse_dhcp_ack)

 Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch 
 WLC IP (main::parseTrap)

 Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of 
 threads running: 0 (main::startTrapHandlers)

 Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on WLC
 IP for wireless client 00:88:10:88:59:88 (main::handleTrap)

 Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication of a 
 802.1x MAC (main::)

 Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 
 requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8). 
 Modified node with last_dhcp = 2012-10-04 18:37:50,computername = 
 LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43
 (main::listen_dhcp)

 Oct 04 18:37:50 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
 (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 
 seconds
 (main::parse_dhcp_ack)

 *Oct 04 18:37:52 pfcmd_vlan(26918) WARN: Unable to perform RADIUS
 Disconnect-Request: Timeout waiting for a reply from WLC IP on port
 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. 
 (pf::SNMP::__ANON__)*

 *Oct 04 18:37:52 pfcmd_vlan(26918) ERROR: Wrong RADIUS secret or 
 unreachable network device... (pf::SNMP::__ANON__)*

 Oct 04 18:37:52 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)

 *_WLC5508 radius debug log:_*

 *radiusTransportThread: Oct 05 02:05:02.680: Enter
 processIncomingMessages: response code=5

 *radiusTransportThread: Oct 05 02:05:02.680: Enter
 processRadiusResponse: response code=5

 *radiusTransportThread: Oct 05 02:05:02.680: 00:27:10:41:59:60

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Hi David.  Thx for chiming in here.  Yes,  by default it's enabled, but I just 
went back in to double check -- it's enabled.

-Original Message-
From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu] 
Sent: Friday, October 05, 2012 1:48 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Thomas,

Is your WLC set to use RFC 3576?  I believe when that is not enabled that is 
the message that the WLC returns when you send the COA/DeAuth.


David Bulanda
Network Services Manager
dgbula...@indianatech.edu
Indiana Tech




-Original Message-
From: Thomas Tsai [mailto:tt...@canyonpartners.com]
Sent: Friday, October 05, 2012 3:39 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

I'm a little lost - how can this be a radius shared secret issue if the WLC can 
contact the freeradius2 server to perform the initial authentication, but then 
fail during deauth?  Are these settings separate from one another?  IT does not 
seem like they would be.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca]
Sent: Friday, October 05, 2012 12:19 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Well this is a shared secret issue, so make sure they are right... 
sometimes there is a trailing character at the end.

If you run in HA, make sure the VIP is listed in the AAA server list on your 
WLC.

On 2012-10-05 2:52 PM, Thomas Tsai wrote:
 Bump - can anyone offer any suggestions as to how to troubleshoot this 
 particular problem?

 *From:*Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent:* Thursday, October 04, 2012 7:11 PM
 *To:* 'packetfence-users@lists.sourceforge.net'
 *Subject:* [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 When packetfence attempts to deauth/COA via radius on a WLC, the 
 following error appears on the WLC: *Invalid RADIUS message
 authenticator*

 A quick search yields some wisdom that Olivier provided with someone 
 with a remote similar issue.

 http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908

 I have confirmed that I am running firmware 7.2.110.0 on the WLC, so 
 this should work.  (Radius Disconnect)

 I spot the issue below, but I am uncertain why the message 
 authenticator is invalid. Am I doing something wrong?

 *_PACKETFENCE.LOG:_*

 *__*

 Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog 
 connected at WLC IP ifIndex 13 in VLAN REG_VLAN
 (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? 
 1
 -- value =  (pf::vlan::custom::getNormalVlan)

 Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID:
 username, Status: reg. Returned VLAN: NORMAL_VLAN
 (pf::vlan::fetchVlanForNode)

 Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for
 00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN
 NORMAL_VLAN) (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: switch port for
 00:88:10:88:59:88 is WLC IP ifIndex 13 connection type: WiFi 802.1X
 (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless 
 802.1x user, this might not work depending on hardware support. If its 
 your case please file a bug (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on 
 registration page 
 (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_r
 egister_2ecgi::handler)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 
 requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8).
 Modified node with last_dhcp = 2012-10-04 18:37:40,computername = 
 LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43
 (main::listen_dhcp)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
 (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 
 seconds
 (main::parse_dhcp_ack)

 Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch 
 WLC IP (main::parseTrap)

 Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of 
 threads running: 0 (main::startTrapHandlers)

 Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on WLC
 IP for wireless client 00:88:10:88:59:88 (main::handleTrap)

 Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication of a 
 802.1x MAC (main::)

 Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 
 requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8).
 Modified node with last_dhcp = 2012-10-04 18:37:50,computername = 
 LAPTOPNAME,dhcp_fingerprint

Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid RADIUS message authenticator

[Thomas Tsai]

Update:  It's enabled, but it isn't working.

I took packetfence out of the mix, and assumed it was the WLC, so I went to 
hunt for a way to test COA/Deauth on a WLC5500.

https://supportforums.cisco.com/docs/DOC-8473

Here is an article to a PDF document describing how to do this, with radtest 
2.6.


Will provide updates as they are avail.


-Original Message-
From: Thomas Tsai 
Sent: Friday, October 05, 2012 4:14 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: RE: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Hi David.  Thx for chiming in here.  Yes,  by default it's enabled, but I just 
went back in to double check -- it's enabled.

-Original Message-
From: Bulanda, Dave G [mailto:dgbula...@indianatech.edu]
Sent: Friday, October 05, 2012 1:48 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Thomas,

Is your WLC set to use RFC 3576?  I believe when that is not enabled that is 
the message that the WLC returns when you send the COA/DeAuth.


David Bulanda
Network Services Manager
dgbula...@indianatech.edu
Indiana Tech




-Original Message-
From: Thomas Tsai [mailto:tt...@canyonpartners.com]
Sent: Friday, October 05, 2012 3:39 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

I'm a little lost - how can this be a radius shared secret issue if the WLC can 
contact the freeradius2 server to perform the initial authentication, but then 
fail during deauth?  Are these settings separate from one another?  IT does not 
seem like they would be.

-Original Message-
From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca]
Sent: Friday, October 05, 2012 12:19 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - Invalid 
RADIUS message authenticator

Well this is a shared secret issue, so make sure they are right... 
sometimes there is a trailing character at the end.

If you run in HA, make sure the VIP is listed in the AAA server list on your 
WLC.

On 2012-10-05 2:52 PM, Thomas Tsai wrote:
 Bump - can anyone offer any suggestions as to how to troubleshoot this 
 particular problem?

 *From:*Thomas Tsai [mailto:tt...@canyonpartners.com]
 *Sent:* Thursday, October 04, 2012 7:11 PM
 *To:* 'packetfence-users@lists.sourceforge.net'
 *Subject:* [PacketFence-users] Cisco WLC 5508 DeAuth / COA issue - 
 Invalid RADIUS message authenticator

 When packetfence attempts to deauth/COA via radius on a WLC, the 
 following error appears on the WLC: *Invalid RADIUS message
 authenticator*

 A quick search yields some wisdom that Olivier provided with someone 
 with a remote similar issue.

 http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908

 I have confirmed that I am running firmware 7.2.110.0 on the WLC, so 
 this should work.  (Radius Disconnect)

 I spot the issue below, but I am uncertain why the message 
 authenticator is invalid. Am I doing something wrong?

 *_PACKETFENCE.LOG:_*

 *__*

 Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog 
 connected at WLC IP ifIndex 13 in VLAN REG_VLAN
 (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? 
 1
 -- value =  (pf::vlan::custom::getNormalVlan)

 Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID:
 username, Status: reg. Returned VLAN: NORMAL_VLAN
 (pf::vlan::fetchVlanForNode)

 Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for
 00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN
 NORMAL_VLAN) (pf::enforcement::_should_we_reassign_vlan)

 Oct 04 18:37:39 register.cgi(0) INFO: switch port for
 00:88:10:88:59:88 is WLC IP ifIndex 13 connection type: WiFi 802.1X
 (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless 
 802.1x user, this might not work depending on hardware support. If its 
 your case please file a bug (pf::enforcement::_vlan_reevaluation)

 Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on 
 registration page 
 (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_r
 egister_2ecgi::handler)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 
 requested an IP. DHCP Fingerprint: OS::109 (Microsoft Windows 8).
 Modified node with last_dhcp = 2012-10-04 18:37:40,computername = 
 LAPTOPNAME,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,252,43
 (main::listen_dhcp)

 Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
 (00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 
 seconds
 (main::parse_dhcp_ack)

 Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch 
 WLC IP (main::parseTrap)

 Oct 04 18:37:42

Re: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

[Thomas Tsai]

I think I see the issue now, but I don't know how to fix... Please help!

Localhost test yields:

Thu Oct  4 15:37:03 2012 : Auth: Login OK: [guest/password] (from client 
localhost port 12)
Thu Oct  4 15:37:03 2012 : Info: rlm_perl: MAC address is empty or invalid in 
this request. It could be normal on certain radius calls

Thu Oct  4 15:37:17 2012 : Auth: Login incorrect: [guest/via Auth-Type = EAP] 
(from client WLC port 13 cli 00-88-10-88-59-88 via TLS tunnel)
Thu Oct  4 15:37:17 2012 : Auth: Login incorrect: [guest/via Auth-Type = EAP] 
(from client WLC port 13 cli 00-88-10-88-59-88)

So the password being passed along is not the actual password, but via 
Auth-Type = EAP ?  Where have I gone wrong?

-Original Message-
From: Thomas Tsai [mailto:tt...@canyonpartners.com] 
Sent: Thursday, October 04, 2012 3:36 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

Now that I finally figured out the issue with the freeradius config I had,  I 
have the following dilemma.

I've configured the WLC per the specifications outlined in the packetfence 
network device configuration pdf guide (which is very detailed and up to date).

Now that I have started internal testing,  I have run into an issue where the 
client cannot connect.  

The client sees a prompt for username / password upon joining the SSID that is 
configured for packetfence (SSID created for Secure method).  Once the client 
enters in credentials and submits,   I see the following in the 
/usr/local/pf/log/radius.log log:

Thu Oct  4 15:29:29 2012 : Auth: Login incorrect: [guest] (from client WLC port 
13 cli 00-88-10-88-59-88 via TLS tunnel) Thu Oct  4 15:29:29 2012 : Auth: Login 
incorrect: [guest] (from client WLC port 13 cli 00-88-10-88-59-88) Thu Oct  4 
15:30:26 2012 : Auth: Login OK: [guest] (from client localhost port 12)

Currently, I am using local file for authentication (so the users file 
/usr/local/pf/raddb/users)

Which contains the following:

DEFAULT EAP-Message !* , Auth-Type := Accept guest Cleartext-Password := 
password



Any suggestions anyone?

**
Email Disclaimer:

This email, including attachments, may contain proprietary, confidential or 
privileged information. If you are not the intended recipient, please (i) do 
not use, disclose, save or retransmit this message or any attachments, (ii) 
alert the sender by reply email and (iii) destroy or delete this message and 
any attachments. 
Delivery of this email to a person other than the intended
recipient(s) shall not constitute a waiver of privilege or confidentiality.

CP Investments, member FINRA and SIPC, serves as placement agent for investment 
products advised by Canyon Capital Advisors LLC. This email is not intended to 
be an offer to sell or a solicitation of an offer to buy any security in any 
jurisdiction. We review and retain electronic communications traveling through 
our network.

**

--
Don't let slow site performance ruin your business. Deploy New Relic APM Deploy 
New Relic app performance management and know exactly what is happening inside 
your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and 
get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

[Fabrice Durand]

Hi thomas,
Try to run raduis as debug mode:
ps -edf |grep radius
kill -15 (the pid of radius)
And launch radius with -X (copy and paste the line from ps -edf and add -X)
You will see exactly what happen .

Fabrice 

Thomas Tsai tt...@canyonpartners.com a écrit :

I think I see the issue now, but I don't know how to fix... Please help!

Localhost test yields:

Thu Oct  4 15:37:03 2012 : Auth: Login OK: [guest/password] (from client 
localhost port 12)
Thu Oct  4 15:37:03 2012 : Info: rlm_perl: MAC address is empty or invalid in 
this request. It could be normal on certain radius calls

Thu Oct  4 15:37:17 2012 : Auth: Login incorrect: [guest/via Auth-Type = 
EAP] (from client WLC port 13 cli 00-88-10-88-59-88 via TLS tunnel)
Thu Oct  4 15:37:17 2012 : Auth: Login incorrect: [guest/via Auth-Type = 
EAP] (from client WLC port 13 cli 00-88-10-88-59-88)

So the password being passed along is not the actual password, but via 
Auth-Type = EAP ?  Where have I gone wrong?

-Original Message-
From: Thomas Tsai [mailto:tt...@canyonpartners.com] 
Sent: Thursday, October 04, 2012 3:36 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

Now that I finally figured out the issue with the freeradius config I had,  I 
have the following dilemma.

I've configured the WLC per the specifications outlined in the packetfence 
network device configuration pdf guide (which is very detailed and up to date).

Now that I have started internal testing,  I have run into an issue where the 
client cannot connect.  

The client sees a prompt for username / password upon joining the SSID that is 
configured for packetfence (SSID created for Secure method).  Once the 
client enters in credentials and submits,   I see the following in the 
/usr/local/pf/log/radius.log log:

Thu Oct  4 15:29:29 2012 : Auth: Login incorrect: [guest] (from client WLC 
port 13 cli 00-88-10-88-59-88 via TLS tunnel) Thu Oct  4 15:29:29 2012 : Auth: 
Login incorrect: [guest] (from client WLC port 13 cli 00-88-10-88-59-88) Thu 
Oct  4 15:30:26 2012 : Auth: Login OK: [guest] (from client localhost port 12)

Currently, I am using local file for authentication (so the users file 
/usr/local/pf/raddb/users)

Which contains the following:

DEFAULT EAP-Message !* , Auth-Type := Accept guest Cleartext-Password := 
password



Any suggestions anyone?

**
Email Disclaimer:

This email, including attachments, may contain proprietary, confidential or 
privileged information. If you are not the intended recipient, please (i) do 
not use, disclose, save or retransmit this message or any attachments, (ii) 
alert the sender by reply email and (iii) destroy or delete this message and 
any attachments. 
Delivery of this email to a person other than the intended
recipient(s) shall not constitute a waiver of privilege or confidentiality.

CP Investments, member FINRA and SIPC, serves as placement agent for 
investment products advised by Canyon Capital Advisors LLC. This email is not 
intended to be an offer to sell or a solicitation of an offer to buy any 
security in any jurisdiction. We review and retain electronic communications 
traveling through our network.

**

--
Don't let slow site performance ruin your business. Deploy New Relic APM 
Deploy New Relic app performance management and know exactly what is happening 
inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost 
today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net

Re: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

[Fabrice Durand]

Humm , look at your client profile, i think something is wrong 

Thomas Tsai tt...@canyonpartners.com a écrit :

Yes...Thank you.  In fact I already started doing that.  Very informative.  
Turns out that:

[mschap] ERROR: User-Name (guest) is not the same as MS-CHAP Name 
(domain\username) from EAP-MSCHAPv2

More poking to do.

-Original Message-
From: Fabrice Durand [mailto:fdur...@inverse.ca] 
Sent: Thursday, October 04, 2012 3:48 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

Hi thomas,
Try to run raduis as debug mode:
ps -edf |grep radius
kill -15 (the pid of radius)
And launch radius with -X (copy and paste the line from ps -edf and add -X) 
You will see exactly what happen .

Fabrice 

Thomas Tsai tt...@canyonpartners.com a écrit :

I think I see the issue now, but I don't know how to fix... Please help!

Localhost test yields:

Thu Oct  4 15:37:03 2012 : Auth: Login OK: [guest/password] (from 
client localhost port 12) Thu Oct  4 15:37:03 2012 : Info: rlm_perl: 
MAC address is empty or invalid in this request. It could be normal on 
certain radius calls

Thu Oct  4 15:37:17 2012 : Auth: Login incorrect: [guest/via Auth-Type 
= EAP] (from client WLC port 13 cli 00-88-10-88-59-88 via TLS tunnel) 
Thu Oct  4 15:37:17 2012 : Auth: Login incorrect: [guest/via Auth-Type 
= EAP] (from client WLC port 13 cli 00-88-10-88-59-88)

So the password being passed along is not the actual password, but via 
Auth-Type = EAP ?  Where have I gone wrong?

-Original Message-
From: Thomas Tsai [mailto:tt...@canyonpartners.com]
Sent: Thursday, October 04, 2012 3:36 PM
To: 'packetfence-users@lists.sourceforge.net'
Subject: [PacketFence-users] Cisco WLC 5508 wireless auth to PF 
FreeRadius

Now that I finally figured out the issue with the freeradius config I had,  I 
have the following dilemma.

I've configured the WLC per the specifications outlined in the packetfence 
network device configuration pdf guide (which is very detailed and up to 
date).

Now that I have started internal testing,  I have run into an issue where the 
client cannot connect.  

The client sees a prompt for username / password upon joining the SSID that 
is configured for packetfence (SSID created for Secure method).  Once the 
client enters in credentials and submits,   I see the following in the 
/usr/local/pf/log/radius.log log:

Thu Oct  4 15:29:29 2012 : Auth: Login incorrect: [guest] (from client 
WLC port 13 cli 00-88-10-88-59-88 via TLS tunnel) Thu Oct  4 15:29:29 
2012 : Auth: Login incorrect: [guest] (from client WLC port 13 cli 
00-88-10-88-59-88) Thu Oct  4 15:30:26 2012 : Auth: Login OK: [guest] 
(from client localhost port 12)

Currently, I am using local file for authentication (so the users file 
/usr/local/pf/raddb/users)

Which contains the following:

DEFAULT EAP-Message !* , Auth-Type := Accept guest Cleartext-Password := 
password



Any suggestions anyone?

**
Email Disclaimer:

This email, including attachments, may contain proprietary, confidential or 
privileged information. If you are not the intended recipient, please (i) do 
not use, disclose, save or retransmit this message or any attachments, (ii) 
alert the sender by reply email and (iii) destroy or delete this message and 
any attachments. 
Delivery of this email to a person other than the intended
recipient(s) shall not constitute a waiver of privilege or confidentiality.

CP Investments, member FINRA and SIPC, serves as placement agent for 
investment products advised by Canyon Capital Advisors LLC. This email is not 
intended to be an offer to sell or a solicitation of an offer to buy any 
security in any jurisdiction. We review and retain electronic communications 
traveling through our network.

**

---
--- Don't let slow site performance ruin your business. Deploy New 
Relic APM Deploy New Relic app performance management and know exactly what 
is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic 
at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

---
--- Don't let slow site performance ruin your business. Deploy New 
Relic APM Deploy New Relic app performance management and know exactly 
what is happening inside your Ruby, Python, PHP, Java, and .NET app Try 
New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https

Re: [PacketFence-users] Cisco WLC 5508 wireless auth to PF FreeRadius

[Ludovic Marcotte]

On 04/10/12 19:19, Thomas Tsai wrote:
 Exec-Program output: Exec-Program: FAILED to execute /usr/bin/ntlm_auth: No 
 such file or directory
 Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute 
 /usr/bin/ntlm_auth: No such file or directory
That should ring a bell, doesn't it? ;-)

-- 
Ludovic Marcotte
+1.514.755.3630  ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


--
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] Cisco WLC 4400 Wireless Lan Crontroller

[Francois Gaudreault]

Hi Jake,

This is the mac filtering in the WLC.  Basically, you enable the mac 
filtering in your security tab for the ssid, and in the AAA server, you 
point in to your RADIUS.


On 11-09-16 4:36 PM, Sallee, Stephen (Jake) wrote:


@ all:

I understand that PF supports the Cisco 4400 WLC, but 
I have some questions.  Namely has anyone gotten RADIUS MAC 
authentication to work with the WLC and PF? From what I can see it 
only supports 802.1x.


Jake Sallee

Godfather of Bandwidth

System Engineer

University of Mary Hardin-Baylor

900 College St.

Belton, Texas

76513

Fone: 254-295-4658

Phax: 254-295-4221


--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2


___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users



--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca  ::  +1.514.447.4918 (x130) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] Cisco WLC 4400 Wireless Lan Crontroller

[Sallee, Stephen (Jake)]

 This is the mac filtering in the WLC.  Basically, you enable the mac 
 filtering in your security tab for the ssid, and in the AAA server, you point 
 in to your RADIUS.

Ah, that makes *a little* sense.  I actually had already done that : )  I think 
I may be in for a TAC call because I need a way to have more than one VLan on a 
single SSID and I am not seeing anywhere on the WLC that it can be done ... I 
would be most interested to hear how others have accomplished VLan switching on 
the WLC within SSIDs.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221

From: Francois Gaudreault [mailto:fgaudrea...@inverse.ca]
Sent: Friday, September 16, 2011 3:46 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [Packetfence-users] Cisco WLC 4400 Wireless Lan Crontroller

Hi Jake,

This is the mac filtering in the WLC.  Basically, you enable the mac filtering 
in your security tab for the ssid, and in the AAA server, you point in to your 
RADIUS.

On 11-09-16 4:36 PM, Sallee, Stephen (Jake) wrote:
@ all:
I understand that PF supports the Cisco 4400 WLC, but I have 
some questions.  Namely has anyone gotten RADIUS MAC authentication to work 
with the WLC and PF? From what I can see it only supports 802.1x.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221






--

BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA

http://p.sf.net/sfu/rim-devcon-copy2





___

Packetfence-users mailing list

Packetfence-users@lists.sourceforge.netmailto:Packetfence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users




--

Francois Gaudreault, ing. jr

fgaudrea...@inverse.camailto:fgaudrea...@inverse.ca  ::  +1.514.447.4918 
(x130) ::  www.inverse.cahttp://www.inverse.ca

Inverse inc. :: Leaders behind SOGo (www.sogo.nuhttp://www.sogo.nu) and 
PacketFence (www.packetfence.orghttp://www.packetfence.org)
--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [Packetfence-users] Cisco WLC 4400 Wireless Lan Crontroller

[Ludovic Marcotte]

Le Vendredi 16 Septembre 2011 17.12 EDT, Sallee, Stephen (Jake) jake.sal...@umhb.edu a crit:


	
	Ah, that makes *a little* sense. I actually had already done that : ) I think I may be in for a TAC call because I need a way to have more than one VLan on a single SSID and I am not seeing anywhere on the WLC that it can be done ... I would be most interested to hear how others have accomplished VLan switching on the WLC within SSIDs.
	

Different VLANs can be returned by the RADIUS server using tunneling attributes (Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID) - within the same SSID.

--

	Ludovic Marcotte
	lmarco...@inverse.ca :: +1.514.755.3630 :: http://inverse.ca
	Inverse inc. :: Leaders behind SOGo (http://sogo.nu) and PacketFence (http://packetfence.org)



--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
http://p.sf.net/sfu/rim-devcon-copy2___
Packetfence-users mailing list
Packetfence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users