Hi, thanks... I do have RFC 3576 enabled. I did as you suggested but it
didn't seem to work:
$ cat pod.txt | radclient -x 10.93.0.252:3799 disconnect useStrongerSecret
Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = Login-User
Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = Login-User
Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = Login-User
radclient: no response from server for ID 61 socket 3
Interestingly, on the WiSM I am debugging AAA:
(WiSM-slot6-1) >
*Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from unknown
server 10.93.0.1:50253
*Dec 07 19:35:48.966: Received a 'RFC-3576 Disconnect-Request' from unknown
server 10.93.0.1:50253
*Dec 07 19:35:53.971: Received a 'RFC-3576 Disconnect-Request' from unknown
server 10.93.0.1:50253
So it seems to be getting there...
On Fri, Dec 7, 2012 at 7:47 AM, Durand Fabrice <[email protected]> wrote:
> Hello David,
> First you don´t have to set radius secret in raddb/clients.conf.
> Radius is configured to get the clients configuration in packetfence
> database.
>
> You also have to enable RFC 3576 in the controller and you can make a test
> by using this command:
>
> Create a file pod.txt
>
> Calling-Station-Id = "00:11:22:33:44:55"Service-Type = "Login-User"
>
> And launch
> cat pod.txt | radclient -x 10.93.0.252:3799 disconnect useStrongerSecret
>
> Regards
> Fabrice
>
>
>
>
> Le 2012-12-06 16:46, David Schiller a écrit :
>
> Hi, I am in the process of moving our standalone AP setup to a LWAPP setup
> with a Cisco WiSM. I actually have managed to get everything pretty much
> working, but one thing I have not been able to figure out is how to get PF
> to properly Deauth users once they register, to place them in the proper
> VLAN. If I manually, leave the SSID and come back, then it makes the
> switch OK, but we obviously want this to be automated like with the
> standalone setup. I am getting this in the packetfence.log:
>
> Dec 06 14:16:09 pfcmd(19120) INFO: trying to dissociate a wireless 802.1x
> user, this might not work depending on hardware support. If its your case
> please file a bug (pf::enforcement::_vlan_reevaluation)
> Dec 06 14:16:11 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
> 10.93.0.252 (main::parseTrap)
> Dec 06 14:16:11 pfsetvlan(1) INFO: nb of items in queue: 1; nb of threads
> running: 0 (main::startTrapHandlers)
> Dec 06 14:16:11 pfsetvlan(1) INFO: desAssociate trap received on
> 10.93.0.252 for wireless client 00:1e:52:xx:xx:xx (main::handleTrap)
> Dec 06 14:16:13 pfcmd_vlan(19129) INFO: wireless deauthentication of a
> 802.1x MAC (main::)
> Dec 06 14:16:23 pfcmd_vlan(19129) WARN: Unable to perform RADIUS
> Disconnect-Request: Timeout waiting for a reply from 10.93.0.252 on port
> 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. (pf::SNMP::__ANON__)
> Dec 06 14:16:23 pfcmd_vlan(19129) ERROR: Wrong RADIUS secret or
> unreachable network device... (pf::SNMP::__ANON__)
>
> It is a little unclear to me whether or not the WiSM uses RADIUS or SNMP
> for Deauth... it looks like it is trying RADIUS but I have seen other
> threads that seemed to indicate that this is done with SNMP. I have double
> checked that my shared secret in raddb/clients.conf and in the WiSM config
> is correct. Also, IP connectivity between everything seems to be fine. I
> have this in my switches.conf:
>
> [10.93.0.252]
> mode=production
> type=Cisco::WiSM
> vlans=92,93,94,95,96
> normalVlan=94
> isolationVlan=92
> radiusSecret=useStrongerSecret
> SNMPVersion=1
> SNMPCommunityRead=public
> SNMPCommunityWrite=private
> SNMPVersionTrap=1
> SNMPCommunityTrap=public
>
> One other thing I have noticed, which may or may not be related, is that
> in Packetfence under Nodes, before it would show me the IP address of the
> last AP the user was on, but now with the WiSM it only shows the IP address
> of the WiSM instead of the particular IP. Can this be fixed? It is useful
> to know which AP a user is associated with, and I am wondering if this is
> actually maybe a problem.
>
> Please let me know if you need more info... thanks,
>
> David
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue
> delivershttp://p.sf.net/sfu/logmein_12329d2d
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
