[PacketFence-users] 4.4.0-1 Possible Change of Behavior with Cisco WLC

Thu, 11 Sep 2014 13:12:05 -0700 

Hello again:

I noticed that after my upgrade to 4.4.0-1 from 4.3.something my users hitting 
the registration vlan on my Cisco WLC were not able to get to the captive 
portal.

This was a bit of a head scratcher, but I think we have found the cause.

This may be special to my environment but I wanted to share with the community 
just in case people run across it in the future. This may also be specific to 
using RADIUS auth, but as far as I know that is the only type that works with 
the version of code I am running on my WLC.

If you want to use Role based vlan assignments with the Cisco WLC you have to 
set up ACLs on your WLC that have the name of the role you wish to assign since 
PF passes these roles to the WLC as you can see here:

<begin pcap>
---------------------------------
No.     Time               Source                Destination           Protocol 
   Length     Info
2        0.067360000    <REDACTED>    <REDACTED>      RADIUS    99           
Access-Accept(2) (id=26, l=57)

Frame 2: 99 bytes on wire (792 bits), 99 bytes captured (792 bits) on interface 0
    Interface id: 0
    Encapsulation type: Ethernet (1)
    Arrival Time: Sep 11, 2014 14:31:33.795454000 CDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1410463893.795454000 seconds
    [Time delta from previous captured frame: 0.067360000 seconds]
    [Time delta from previous displayed frame: 0.067360000 seconds]
    [Time since reference or first frame: 0.067360000 seconds]
    Frame Number: 2
    Frame Length: 99 bytes (792 bits)
    Capture Length: 99 bytes (792 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:radius]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: <REDACTED>, Dst: <REDACTED>
    Destination: <REDACTED>
        Address: <REDACTED>
        .... ..0. .... .... .... .... = LG bit: Globally unique address 
(factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: <REDACTED>
        Address: <REDACTED>
        .... ..0. .... .... .... .... = LG bit: Globally unique address 
(factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IP (0x0800)
Internet Protocol Version 4, Src: <REDACTED>, Dst: <REDACTED>
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT 
(Not ECN-Capable Transport))
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable 
Transport) (0x00)
    Total Length: 85
    Identification: 0x34b5 (13493)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x2f74 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: <REDACTED>
    Destination: <REDACTED>
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-tms (32768)
    Source port: radius (1812)
    Destination port: filenet-tms (32768)
    Length: 65
    Checksum: 0x16c2 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1a (26)
    Length: 57
    Authenticator: <REDACTED>
    [This is a response to a request in frame 1]
    [Time from request: 0.067360000 seconds]
    Attribute Value Pairs
        AVP: l=5  t=Tunnel-Private-Group-Id(81): 113
            Tunnel-Private-Group-Id: 113
        AVP: l=6  t=Tunnel-Type(64) Tag=0x00: VLAN(13)
            Tag: 0x00
            Tunnel-Type: VLAN (13)
        AVP: l=6  t=Tunnel-Medium-Type(65) Tag=0x00: IEEE-802(6)
            Tag: 0x00
            Tunnel-Medium-Type: IEEE-802 (6)
        AVP: l=20  t=Vendor-Specific(26) v=Airespace, Inc (formerly Black Storm 
Networks)(14179)
            VSA: l=14 t=Airespace-ACL-Name(6): registration
                Airespace-ACL-Name: registration
---------------------------------
<end pcap>

In versions previous the I do not think the registration and isolation roles 
passed an ACL since I did not have the ACLs in my WLC and everything was 
working, but the new version does pass the ACLs on the registration role (and 
possible isolation role as well, but I have not gotten to test that.)  Once I 
added the registration ACL, it started working again.

I'm not sure this will help anyone but me, but there you have it.

Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to