Hello Francois, Thanks for the response.
Radius, in all cases is acting perfectly and, in debug mode or not, returns 'validation' - 'ok'. For EAP connections, it validates the connection and for 'public' connections (requiring the captive portal) it returns 'ok' with a reference to vlan 102 (our registration vlan). I think that there is no problem there. At this point it seems that PacketFence is doing everything correctly and that our problem lies in the access point config. I have radically simplified the AP config in an attempt to isolate the issue. All the encrypted EAP encrypted vlans, etc. have been removed and have only our 'public' vlan (for the captive portal) and vlan 102 (registration) and vlan 103 (isolation) are implemented. After the captive portal is working I will add back the EAP vlans. I could not get an IP address until I removed the encryption for vlan 6 under the Dot11Radio0 interface. I removed : encryption vlan 6 mode ciphers aes-ccm (This line is present in your example config for the Cisco Aironet 1250 for the 'normal' vlan. This corresponds to the PacketFence-Public SSID.) However, the captive portal is only *sometimes* invoked and, usually, even though the MAC is unregistered by PF, a regular connection to vlan 6 is made. That is, the vlan is *not* changed to 102 (our registration vlan) and an IP address is *not* assigned by the PF DHCP server !!! The packetfence.log contains entries stopping the deauthentication trap from the access point and a warning that is 'unable to parse the trapline'. 'doWeActOnThisTrap' then returns false and the dot11Deauthentication handling is stopped. I'd be happy to send the exact lines if you think they are relevant. I must back up here and ask you a simple overview question : why are both the 'public' and the 'registration' vlans encrypted as above in the example. Perhaps I'm missing something obvious but it would seem that they should be open ... Very interested in what you have to say. Best wishes for the new year, Chris On Mon 3.Jan'11 at 10:18:04 -0500, Francois Gaudreault wrote: > Chris, > > If you manually turn off, and turn back on the radio, are you able to > get an IP at all? > > What radius tells you in debug mode? > > On 10-12-30 3:38 PM, cg wrote: > > Hello List, > > > > Hope everyone here will have a great and auspicious new year. > > > > Closing in on our Debian adaptation of version 2.0.0 ; the wifi side > > of things is showing validation by radius and an *almost* working > > captive portal. Can anyone comment on the following log results ? > > > > > > Dec 30 21:18:51 pf::WebAPI(5578) INFO: handling radius autz request: > > from switch_ip => nnn.nnn.nnn.nnn, connection_type => > > Wireless-802.11-NoEAP mac => aa:bb:cc:dd:ee:ff, port => 604, username > > => aabbccddeeff (pf::radius::authorize) > > Dec 30 21:18:51 pf::WebAPI(5578) WARN: Unable to extract SSID for > > module pf::SNMP::Cisco::Aironet_1250. SSID-based VLAN assignments > > won't work. Please let us know so we can add support for > > it. (pf::SNMP::extractSsid) > > Dec 30 21:18:51 pf::WebAPI(5578) INFO: MAC: aa:bb:cc:dd:ee:ff is of > > status unreg; belongs into registration VLAN > > (pf::vlan::getRegistrationVlan) > > Dec 30 21:18:51 pf::WebAPI(5578) INFO: Returning ACCEPT with VLAN: 102 > > (pf::radius::authorize) > > Dec 30 21:18:54 pfsetvlan(17) WARN: unable to parse trapLine.. here's > > the line: nnn.nnn.nnn.nnn||dot11Deauthentication|||aa:bb:cc:dd:ee:ff > > (main::startTrapHandlers) > > Dec 30 21:18:54 pfsetvlan(17) INFO: nb of items in queue: 1; nb of > > threads running: 0 (main::startTrapHandlers) > > Dec 30 21:18:54 pfsetvlan(17) INFO: doWeActOnThisTrap returns > > false. Stop dot11Deauthentication handling (main::handleTrap) > > Dec 30 21:18:54 pfsetvlan(17) INFO: finished > > (main::cleanupAfterThread) > > > > > > The wifi widget always reports 'searching for an ip address' and the > > captive portal never appears and the ap doesn't show an association. > > > > vlan 102 is our registration vlan ; the ap configuration is as close > > to the example as we could get it (but with snmp config, etc. for the > > deauthenticate trap) > > > > > > A good weekend and best wishes ... > > > > Chris ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
