Have you looked this thread
http://www.mail-archive.com/[email protected]/msg03329.html
It´s look like your problem.
Regards
Le 2012-12-07 15:47, David Schiller a écrit :
Yes... I think the secret here is in the debug message:
*Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
unknown server 10.93.0.1:50253 <http://10.93.0.1:50253>
It says "unknown server", despite the fact that it previously does a
bunch of aaa stuff just fine with 10.93.0.1 to initially associate the
user to the AP.
Is there some other location where I need to define 10.93.0.1 as being OK?
On Fri, Dec 7, 2012 at 12:19 PM, Durand Fabrice <[email protected]
<mailto:[email protected]>> wrote:
Have you removed what you did in clients.conf ?
Regards
Le 2012-12-07 14:56, David Schiller a écrit :
10.93.0.1 is the Packetfence interface which is running the
Radius server... here is the netstat:
udp 0 0 10.93.0.1:1812 <http://10.93.0.1:1812> 0.0.0.0:*
udp 0 0 10.93.0.1:1813 <http://10.93.0.1:1813> 0.0.0.0:*
udp 0 0 10.93.0.1:1814 <http://10.93.0.1:1814> 0.0.0.0:*
That is configured with RFC 3576 and useStrongerSecret on the WiSM.
On Fri, Dec 7, 2012 at 11:46 AM, Durand Fabrice
<[email protected] <mailto:[email protected]>> wrote:
What is this address 10.93.0.1 <http://10.93.0.1:50253> ?
Your controller must know 10.93.0.1 as a radius server.
<http://10.93.0.1:50253>
Regards
Le 2012-12-07 14:36, David Schiller a écrit :
Hi, thanks... I do have RFC 3576 enabled. I did as you
suggested but it didn't seem to work:
$ cat pod.txt | radclient -x 10.93.0.252:3799
<http://10.93.0.252:3799> disconnect useStrongerSecret
Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = Login-User
Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = Login-User
Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = Login-User
radclient: no response from server for ID 61 socket 3
Interestingly, on the WiSM I am debugging AAA:
(WiSM-slot6-1) >
*Dec 07 19:35:43.962: Received a 'RFC-3576
Disconnect-Request' from unknown server 10.93.0.1:50253
<http://10.93.0.1:50253>
*Dec 07 19:35:48.966: Received a 'RFC-3576
Disconnect-Request' from unknown server 10.93.0.1:50253
<http://10.93.0.1:50253>
*Dec 07 19:35:53.971: Received a 'RFC-3576
Disconnect-Request' from unknown server 10.93.0.1:50253
<http://10.93.0.1:50253>
So it seems to be getting there...
On Fri, Dec 7, 2012 at 7:47 AM, Durand Fabrice
<[email protected] <mailto:[email protected]>> wrote:
Hello David,
First you don´t have to set radius secret in
raddb/clients.conf.
Radius is configured to get the clients configuration in
packetfence database.
You also have to enable RFC 3576 in the controller and
you can make a test by using this command:
Create a file pod.txt
Calling-Station-Id = "00:11:22:33:44:55"
Service-Type = "Login-User"
And launch
cat pod.txt | radclient -x 10.93.0.252:3799
<http://10.93.0.252:3799> disconnect useStrongerSecret
Regards
Fabrice
Le 2012-12-06 16:46, David Schiller a écrit :
Hi, I am in the process of moving our standalone AP
setup to a LWAPP setup with a Cisco WiSM. I actually
have managed to get everything pretty much working, but
one thing I have not been able to figure out is how to
get PF to properly Deauth users once they register, to
place them in the proper VLAN. If I manually, leave
the SSID and come back, then it makes the switch OK,
but we obviously want this to be automated like with
the standalone setup. I am getting this in the
packetfence.log:
Dec 06 14:16:09 pfcmd(19120) INFO: trying to dissociate
a wireless 802.1x user, this might not work depending
on hardware support. If its your case please file a bug
(pf::enforcement::_vlan_reevaluation)
Dec 06 14:16:11 pfsetvlan(21) INFO: local (127.0.0.1)
trap for switch 10.93.0.252 (main::parseTrap)
Dec 06 14:16:11 pfsetvlan(1) INFO: nb of items in
queue: 1; nb of threads running: 0
(main::startTrapHandlers)
Dec 06 14:16:11 pfsetvlan(1) INFO: desAssociate trap
received on 10.93.0.252 for wireless client
00:1e:52:xx:xx:xx (main::handleTrap)
Dec 06 14:16:13 pfcmd_vlan(19129) INFO: wireless
deauthentication of a 802.1x MAC (main::)
Dec 06 14:16:23 pfcmd_vlan(19129) WARN: Unable to
perform RADIUS Disconnect-Request: Timeout waiting for
a reply from 10.93.0.252 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm>
line 160. (pf::SNMP::__ANON__)
Dec 06 14:16:23 pfcmd_vlan(19129) ERROR: Wrong RADIUS
secret or unreachable network device...
(pf::SNMP::__ANON__)
It is a little unclear to me whether or not the WiSM
uses RADIUS or SNMP for Deauth... it looks like it is
trying RADIUS but I have seen other threads that seemed
to indicate that this is done with SNMP. I have double
checked that my shared secret in raddb/clients.conf and
in the WiSM config is correct. Also, IP connectivity
between everything seems to be fine. I have this in my
switches.conf:
[10.93.0.252]
mode=production
type=Cisco::WiSM
vlans=92,93,94,95,96
normalVlan=94
isolationVlan=92
radiusSecret=useStrongerSecret
SNMPVersion=1
SNMPCommunityRead=public
SNMPCommunityWrite=private
SNMPVersionTrap=1
SNMPCommunityTrap=public
One other thing I have noticed, which may or may not be
related, is that in Packetfence under Nodes, before it
would show me the IP address of the last AP the user
was on, but now with the WiSM it only shows the IP
address of the WiSM instead of the particular IP. Can
this be fixed? It is useful to know which AP a user is
associated with, and I am wondering if this is actually
maybe a problem.
Please let me know if you need more info... thanks,
David
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add
services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%2B1.514.447.4918> (x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT.
Free Trial
Remotely access PCs and mobile devices and provide
instant support
Improve your efficiency, and focus on delivering more
value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%2B1.514.447.4918> (x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free
Trial
Remotely access PCs and mobile devices and provide instant
support
Improve your efficiency, and focus on delivering more
value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%2B1.514.447.4918> (x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add
services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
