When packetfence attempts to deauth/COA via radius on a WLC, the following
error appears on the WLC: Invalid RADIUS message authenticator
A quick search yields some wisdom that Olivier provided with someone with a
remote similar issue.
http://comments.gmane.org/gmane.comp.networking.packetfence.user/3908
I have confirmed that I am running firmware 7.2.110.0 on the WLC, so this
should work. (Radius Disconnect)
I spot the issue below, but I am uncertain why the message authenticator is
invalid. Am I doing something wrong?
PACKETFENCE.LOG:
Oct 04 18:37:39 register.cgi(0) INFO: 00:88:10:88:59:88 is currentlog connected
at <WLC IP> ifIndex 13 in VLAN REG_VLAN
(pf::enforcement::_should_we_reassign_vlan)
Oct 04 18:37:39 register.cgi(0) INFO: [CUSTOM-NOCATCH] Defined (y/n)? 1 --
value = (pf::vlan::custom::getNormalVlan)
Oct 04 18:37:39 register.cgi(0) INFO: MAC: 00:88:10:88:59:88, PID: username,
Status: reg. Returned VLAN: NORMAL_VLAN (pf::vlan::fetchVlanForNode)
Oct 04 18:37:39 register.cgi(0) INFO: VLAN reassignment required for
00:88:10:88:59:88 (current VLAN = REG_VLAN but should be in VLAN NORMAL_VLAN)
(pf::enforcement::_should_we_reassign_vlan)
Oct 04 18:37:39 register.cgi(0) INFO: switch port for 00:88:10:88:59:88 is <WLC
IP> ifIndex 13 connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Oct 04 18:37:39 register.cgi(0) INFO: trying to dissociate a wireless 802.1x
user, this might not work depending on hardware support. If its your case
please file a bug (pf::enforcement::_vlan_reevaluation)
Oct 04 18:37:39 register.cgi(0) INFO: 10.0.0.39 - 00:88:10:88:59:88 on
registration page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler)
Oct 04 18:37:40 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 requested an IP.
DHCP Fingerprint: OS::109 (Microsoft Windows 8). Modified node with last_dhcp =
2012-10-04 18:37:40,computername = LAPTOPNAME,dhcp_fingerprint =
1,15,3,6,44,46,47,31,33,121,249,252,43 (main::listen_dhcp)
Oct 04 18:37:40 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
(00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 seconds
(main::parse_dhcp_ack)
Oct 04 18:37:42 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch <WLC IP>
(main::parseTrap)
Oct 04 18:37:42 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
running: 0 (main::startTrapHandlers)
Oct 04 18:37:42 pfsetvlan(1) INFO: desAssociate trap received on <WLC IP> for
wireless client 00:88:10:88:59:88 (main::handleTrap)
Oct 04 18:37:42 pfcmd_vlan(26918) INFO: wireless deauthentication of a 802.1x
MAC (main::)
Oct 04 18:37:50 pfdhcplistener(26773) INFO: 00:88:10:88:59:88 requested an IP.
DHCP Fingerprint: OS::109 (Microsoft Windows 8). Modified node with last_dhcp =
2012-10-04 18:37:50,computername = LAPTOPNAME,dhcp_fingerprint =
1,15,3,6,44,46,47,31,33,121,249,252,43 (main::listen_dhcp)
Oct 04 18:37:50 pfdhcplistener(26773) INFO: DHCPACK from 10.0.0.254
(00:99:56:99:00:99) to host 00:88:10:88:59:88 (10.0.0.39) for 20 seconds
(main::parse_dhcp_ack)
Oct 04 18:37:52 pfcmd_vlan(26918) WARN: Unable to perform RADIUS
Disconnect-Request: Timeout waiting for a reply from <WLC IP> on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm line 160. (pf::SNMP::__ANON__)
Oct 04 18:37:52 pfcmd_vlan(26918) ERROR: Wrong RADIUS secret or unreachable
network device... (pf::SNMP::__ANON__)
Oct 04 18:37:52 pfsetvlan(1) INFO: finished (main::cleanupAfterThread)
WLC5508 radius debug log:
*radiusTransportThread: Oct 05 02:05:02.680: ****Enter processIncomingMessages:
response code=5
*radiusTransportThread: Oct 05 02:05:02.680: ****Enter processRadiusResponse:
response code=5
*radiusTransportThread: Oct 05 02:05:02.680: 00:27:10:41:59:60
Accounting-Response received from RADIUS server <PACKETFENCE IP> for mobile
00:88:10:88:59:88 receiveId = 0
*radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid RADIUS message
authenticator
*radiusRFC3576TransportThread: Oct 05 02:05:29.134: Invalid message
authenticator received in 'RFC-3576 Disconnect-Request' from <PACKETFENCE IP>
**********************************************
Email Disclaimer:
This email, including attachments, may contain
proprietary, confidential or privileged information. If you
are not the intended recipient, please (i) do not use,
disclose, save or retransmit this message or any
attachments, (ii) alert the sender by reply email and (iii)
destroy or delete this message and any attachments.
Delivery of this email to a person other than the intended
recipient(s) shall not constitute a waiver of privilege or
confidentiality.
CP Investments, member FINRA and SIPC, serves as
placement agent for investment products advised by
Canyon Capital Advisors LLC. This email is not intended to
be an offer to sell or a solicitation of an offer to buy any
security in any jurisdiction. We review and retain
electronic communications traveling through our network.
**********************************************
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
