Hi Chris, Let me attempt to resolve your issue.
> So, thanks for the guidance ; it's all working a treat now - except > one, small, final point : the final deauthentication of the borne, > *after* the captive portal, and its validation, has completed. There > seems to be a problem reading the final deauthentication trap. I don't > think it's a config issue (but I could be wrong ...) The deauthentication trap sent from the AP was used to close the locationlog entry (to detect a client going away). This was disabled because of race condition between traps and radius requests (traps being sometimes slower to reach causing locationlog entries to be closed even client only re-authenticated). Anyway, the point is: ignore anything related to dot11Deauthentication. > > The bizarre thing is that if I perform the step manually, following > your instructions for pfcmd_vlan, it *does* work. What is puzzling is > that, presumably, pfcmd_vlan uses the config setup from PF > (switches.conf ...). Why should it work manually - and not at the end > of the captive portal process ? One thing I would like you to try: Did you connect to the Access Point with SSH as user pf to cache the AP fingerprint. When you run as root pfcmd_vlan could work but when launched by pf (as user pf) it could hang on the "Are you sure you want to continue connecting (yes/no)?" question. > > Here are the logs : > > 'Normal' PF handling of captive portal sequence (doesn't work ...) : > > Jan 05 15:09:01 pf::WebAPI(19867) INFO: handling radius autz request: from > switch_ip => ip.ip.ip.ip, connection_type => Wireless-802.11-NoEAP mac => > nn:nn:nn:nn:nn:nn, port => 269, username => nnnnnnnnnnnn > (pf::radius::authorize) > Jan 05 15:09:01 pf::WebAPI(19867) WARN: Unable to extract SSID for module > pf::SNMP::Cisco::Aironet_1250. SSID-based VLAN assignments won't work. Please > let us know so we can add support for it. (pf::SNMP::extractSsid) > Jan 05 15:09:01 pf::WebAPI(19867) INFO: MAC: nn:nn:nn:nn:nn:nn, PID: > xxxxxxxx, Status: reg. Returned VLAN: 6 (pf::radius::_findNodeVlan) > Jan 05 15:09:01 pf::WebAPI(19867) INFO: Returning ACCEPT with VLAN: 6 > (pf::radius::authorize) > Jan 05 15:09:03 pfsetvlan(5) WARN: unable to parse trapLine.. here's the > line: ip.ip.ip.ip ||dot11Deauthentication|||nn:nn:nn:nn:nn:nn > (main::startTrapHandlers) > Jan 05 15:09:03 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads > running: 0 (main::startTrapHandlers) > Jan 05 15:09:03 pfsetvlan(5) INFO: doWeActOnThisTrap returns false. Stop > dot11Deauthentication handling (main::handleTrap) > Jan 05 15:09:03 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) > Lastly, these logs line here are too late. What I'm interested in is what comes after you successfully registers. I would expect a call to flip.pl and then the appropriate pfcmd_vlan statements. Can you dig these up for me please? You are almost there! Cheers! -- Olivier Bilodeau [email protected] :: +1.514.447.4918 *115 :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Gaining the trust of online customers is vital for the success of any company that requires sensitive data to be transmitted over the Web. Learn how to best implement a security strategy that keeps consumers' information secure and instills the confidence they need to proceed with transactions. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
