Here's something weird... I tried deleting my AAA auth server and
recreating it in the CLI instead of through the webgui... it will not let
me set RFC3576:
(WiSM-slot6-1) >config radius auth rfc3576 enable 1
Unable to set server's RFC 3576 state.
On Fri, Dec 7, 2012 at 1:23 PM, David Schiller <[email protected]> wrote:
> I have looked through that thread... Can you clear something up for me? I
> thought that the Radius shared secret in PF was defined in
> raddb/clients.conf and then on the WiSM in the obvious place. But you say
> I can get rid of the entry in raddb/clients.conf, which I have, and it
> still works. Where else is it defined in PF? In switches.conf, it doesn't
> seem to make a difference if I have it or not in the definition for
> 10.93.0.252... it is still able to do the initial authentication to
> associate to the AP.
>
>
> On Fri, Dec 7, 2012 at 1:13 PM, Durand Fabrice <[email protected]> wrote:
>
>> Have you looked this thread
>> http://www.mail-archive.com/[email protected]/msg03329.html
>> It´s look like your problem.
>>
>> Regards
>>
>> Le 2012-12-07 15:47, David Schiller a écrit :
>>
>> Yes... I think the secret here is in the debug message:
>>
>> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
>> unknown server 10.93.0.1:50253
>>
>> It says "unknown server", despite the fact that it previously does a
>> bunch of aaa stuff just fine with 10.93.0.1 to initially associate the user
>> to the AP.
>>
>> Is there some other location where I need to define 10.93.0.1 as being OK?
>>
>> On Fri, Dec 7, 2012 at 12:19 PM, Durand Fabrice <[email protected]>wrote:
>>
>>> Have you removed what you did in clients.conf ?
>>> Regards
>>>
>>> Le 2012-12-07 14:56, David Schiller a écrit :
>>>
>>> 10.93.0.1 is the Packetfence interface which is running the Radius
>>> server... here is the netstat:
>>>
>>> udp 0 0 10.93.0.1:1812 0.0.0.0:*
>>>
>>> udp 0 0 10.93.0.1:1813 0.0.0.0:*
>>>
>>> udp 0 0 10.93.0.1:1814 0.0.0.0:*
>>>
>>> That is configured with RFC 3576 and useStrongerSecret on the WiSM.
>>>
>>> On Fri, Dec 7, 2012 at 11:46 AM, Durand Fabrice <[email protected]>wrote:
>>>
>>>> What is this address 10.93.0.1 <http://10.93.0.1:50253> ?
>>>> Your controller must know 10.93.0.1 as a radius
>>>> server.<http://10.93.0.1:50253>
>>>>
>>>> Regards
>>>>
>>>> Le 2012-12-07 14:36, David Schiller a écrit :
>>>>
>>>> Hi, thanks... I do have RFC 3576 enabled. I did as you suggested but
>>>> it didn't seem to work:
>>>>
>>>> $ cat pod.txt | radclient -x 10.93.0.252:3799 disconnect
>>>> useStrongerSecret
>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>> Service-Type = Login-User
>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>> Service-Type = Login-User
>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>> Service-Type = Login-User
>>>> radclient: no response from server for ID 61 socket 3
>>>>
>>>> Interestingly, on the WiSM I am debugging AAA:
>>>>
>>>> (WiSM-slot6-1) >
>>>> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
>>>> unknown server 10.93.0.1:50253
>>>> *Dec 07 19:35:48.966: Received a 'RFC-3576 Disconnect-Request' from
>>>> unknown server 10.93.0.1:50253
>>>> *Dec 07 19:35:53.971: Received a 'RFC-3576 Disconnect-Request' from
>>>> unknown server 10.93.0.1:50253
>>>>
>>>> So it seems to be getting there...
>>>>
>>>>
>>>> On Fri, Dec 7, 2012 at 7:47 AM, Durand Fabrice <[email protected]>wrote:
>>>>
>>>>> Hello David,
>>>>> First you don´t have to set radius secret in raddb/clients.conf.
>>>>> Radius is configured to get the clients configuration in packetfence
>>>>> database.
>>>>>
>>>>> You also have to enable RFC 3576 in the controller and you can make a
>>>>> test by using this command:
>>>>>
>>>>> Create a file pod.txt
>>>>>
>>>>> Calling-Station-Id = "00:11:22:33:44:55"Service-Type = "Login-User"
>>>>>
>>>>> And launch
>>>>> cat pod.txt | radclient -x 10.93.0.252:3799 disconnect
>>>>> useStrongerSecret
>>>>>
>>>>> Regards
>>>>> Fabrice
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Le 2012-12-06 16:46, David Schiller a écrit :
>>>>>
>>>>> Hi, I am in the process of moving our standalone AP setup to a LWAPP
>>>>> setup with a Cisco WiSM. I actually have managed to get everything pretty
>>>>> much working, but one thing I have not been able to figure out is how to
>>>>> get PF to properly Deauth users once they register, to place them in the
>>>>> proper VLAN. If I manually, leave the SSID and come back, then it makes
>>>>> the switch OK, but we obviously want this to be automated like with the
>>>>> standalone setup. I am getting this in the packetfence.log:
>>>>>
>>>>> Dec 06 14:16:09 pfcmd(19120) INFO: trying to dissociate a wireless
>>>>> 802.1x user, this might not work depending on hardware support. If its
>>>>> your
>>>>> case please file a bug (pf::enforcement::_vlan_reevaluation)
>>>>> Dec 06 14:16:11 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
>>>>> 10.93.0.252 (main::parseTrap)
>>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
>>>>> threads running: 0 (main::startTrapHandlers)
>>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: desAssociate trap received on
>>>>> 10.93.0.252 for wireless client 00:1e:52:xx:xx:xx (main::handleTrap)
>>>>> Dec 06 14:16:13 pfcmd_vlan(19129) INFO: wireless deauthentication of a
>>>>> 802.1x MAC (main::)
>>>>> Dec 06 14:16:23 pfcmd_vlan(19129) WARN: Unable to perform RADIUS
>>>>> Disconnect-Request: Timeout waiting for a reply from 10.93.0.252 on port
>>>>> 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160.
>>>>> (pf::SNMP::__ANON__)
>>>>> Dec 06 14:16:23 pfcmd_vlan(19129) ERROR: Wrong RADIUS secret or
>>>>> unreachable network device... (pf::SNMP::__ANON__)
>>>>>
>>>>> It is a little unclear to me whether or not the WiSM uses RADIUS or
>>>>> SNMP for Deauth... it looks like it is trying RADIUS but I have seen other
>>>>> threads that seemed to indicate that this is done with SNMP. I have
>>>>> double
>>>>> checked that my shared secret in raddb/clients.conf and in the WiSM config
>>>>> is correct. Also, IP connectivity between everything seems to be fine. I
>>>>> have this in my switches.conf:
>>>>>
>>>>> [10.93.0.252]
>>>>> mode=production
>>>>> type=Cisco::WiSM
>>>>> vlans=92,93,94,95,96
>>>>> normalVlan=94
>>>>> isolationVlan=92
>>>>> radiusSecret=useStrongerSecret
>>>>> SNMPVersion=1
>>>>> SNMPCommunityRead=public
>>>>> SNMPCommunityWrite=private
>>>>> SNMPVersionTrap=1
>>>>> SNMPCommunityTrap=public
>>>>>
>>>>> One other thing I have noticed, which may or may not be related, is
>>>>> that in Packetfence under Nodes, before it would show me the IP address of
>>>>> the last AP the user was on, but now with the WiSM it only shows the IP
>>>>> address of the WiSM instead of the particular IP. Can this be fixed? It
>>>>> is useful to know which AP a user is associated with, and I am wondering
>>>>> if
>>>>> this is actually maybe a problem.
>>>>>
>>>>> Please let me know if you need more info... thanks,
>>>>>
>>>>> David
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>> Improve your efficiency, and focus on delivering more value-add services
>>>>> Discover what IT Professionals Know. Rescue
>>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>> Improve your efficiency, and focus on delivering more value-add
>>>>> services
>>>>> Discover what IT Professionals Know. Rescue delivers
>>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue
>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> --
>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue delivers
>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue
>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue
>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
