AHA! (Sort of) solved it. By removing the option to validate server certificate on the client's wlan connections it then authenticates the user with no problems. This is how I have it setup for my wired network also. It's actually something I've been meaning to ask for a while, does this box need to be checked for this to be secure when using PF?
Unfortunately, clients connected to the WLC5500 do not get successfully put into the isolation vlan when they should be. I can see that in the PF logs that it tries, but the change doesn't ever reflect does to the user. Cheers, Andi -----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 12 March 2012 15:38 To: [email protected] Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 OK, I have successfully got the new controller talking to our Windows radius servers in order to test, and can authenticate users. Switching over to the PF server for authentication via freeradius I get the errors as below: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.13 port 32768, id=7, length=211 User-Name = "sm18818" Calling-Station-Id = "00-26-b6-da-18-42" Called-Station-Id = "b8-be-bf-ef-24-20:hallsnet-student" NAS-Port = 13 NAS-IP-Address = 10.1.1.13 NAS-Identifier = "cywlc_halls" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "710" EAP-Message = 0x0205001119800000000715030100020230 State = 0x4dff6b344ffa727124508253e356604b Message-Authenticator = 0x28de35753ef6ab156d7e60261470a7b8 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sm18818 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 60 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 60 Sending Access-Reject of id 7 to 10.1.1.13 port 32768 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 57 ID 4 with timestamp +18676 Cleaning up request 58 ID 5 with timestamp +18676 Cleaning up request 59 ID 6 with timestamp +18676 Waking up in 1.0 seconds. Cleaning up request 60 ID 7 with timestamp +18676 Ready to process requests. PS, if this kind of support is covered under our current support contract with inverse I'll happily raise this as an official ticket and take it off the mailing list if you'd rather. Otherwise I'm hoping that other users who have configured WLC4400s successfully can maybe offer some advice. Cheers, Andi -----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 12 March 2012 13:52 To: [email protected] Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 Hi Francois, I'll give that a go. Currently we're struggling to get it to authenticate via radius anyway, even before Packetfence gets invoked. What is involved with sponsoring? Cheers, Andi -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: 12 March 2012 12:37 To: [email protected] Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 Hi Andi, Try using the WLC_4400 module. It will probably behave the same way. If not, let us know, if you are interested, you can probably sponsor the module development. Thanks. On 12-03-12 7:08 AM, Morris, Andi wrote: > Hi, > > Has anyone successfully setup a WLC 5500 in packetfence? I would very > much like to get one working, but the documentation for the 4400 is > “to be contributed”, and there is also no option to add the 5500 in > the switches interface. Is this something that would be possible? > > Cheers, > > Andi > > --------------------------------------------------------------- > Andi Morris > Technical Security Analyst > > Systems and Communications Services > Information Services Division > Cardiff Metropolitan University > Cardiff > Wales > CF5 2YB > > 02920 205720 > > -------------------------------------------------------------- > > ---------------------------------------------------------------------- > -- > > >From 1st November 2011 UWIC changed its title to Cardiff > Metropolitan University. From the 6th December 2011, as part of this > change, all email addresses which included @uwic.ac.uk have changed to > @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan > University will now be sent from the new @cardiffmet.ac.uk address. > *Please could you ensure that all of your contact records and > databases are updated to reflect this change.* Further information can > be found on the website here. > <http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan > Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad > e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr > holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu > danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. *Gwnewch yn siwr eich > bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i > adlewyrchu > hyn.* Gellir cael rhagor o wybodaeth ar y wefan yma. > <http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > > > ---------------------------------------------------------------------- > -------- Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft > developers is just $99.99! Visual Studio, SharePoint, SQL - plus > HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you > subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > > > > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
