When I have nothing in raddb/clients.conf, and I have conf/switches.conf
with RadiusSecret=Secret and the matching secret on the WiSM for AAA Auth
config, then it does something really odd... The initial 802.1x
authentication seems to never complete, but then it gives me an IP in the
normal vlan instead of the registration vlan, and internet access works!
Even though 802.1x never says it's connected on the client....
It just seems like it needs the entry in raddb/clients.conf.
On Fri, Dec 7, 2012 at 1:30 PM, David Schiller <[email protected]> wrote:
> Here's something weird... I tried deleting my AAA auth server and
> recreating it in the CLI instead of through the webgui... it will not let
> me set RFC3576:
>
> (WiSM-slot6-1) >config radius auth rfc3576 enable 1
> Unable to set server's RFC 3576 state.
>
>
>
> On Fri, Dec 7, 2012 at 1:23 PM, David Schiller <[email protected]> wrote:
>
>> I have looked through that thread... Can you clear something up for me?
>> I thought that the Radius shared secret in PF was defined in
>> raddb/clients.conf and then on the WiSM in the obvious place. But you say
>> I can get rid of the entry in raddb/clients.conf, which I have, and it
>> still works. Where else is it defined in PF? In switches.conf, it doesn't
>> seem to make a difference if I have it or not in the definition for
>> 10.93.0.252... it is still able to do the initial authentication to
>> associate to the AP.
>>
>>
>> On Fri, Dec 7, 2012 at 1:13 PM, Durand Fabrice <[email protected]>wrote:
>>
>>> Have you looked this thread
>>> http://www.mail-archive.com/[email protected]/msg03329.html
>>> It´s look like your problem.
>>>
>>> Regards
>>>
>>> Le 2012-12-07 15:47, David Schiller a écrit :
>>>
>>> Yes... I think the secret here is in the debug message:
>>>
>>> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
>>> unknown server 10.93.0.1:50253
>>>
>>> It says "unknown server", despite the fact that it previously does a
>>> bunch of aaa stuff just fine with 10.93.0.1 to initially associate the user
>>> to the AP.
>>>
>>> Is there some other location where I need to define 10.93.0.1 as being
>>> OK?
>>>
>>> On Fri, Dec 7, 2012 at 12:19 PM, Durand Fabrice <[email protected]>wrote:
>>>
>>>> Have you removed what you did in clients.conf ?
>>>> Regards
>>>>
>>>> Le 2012-12-07 14:56, David Schiller a écrit :
>>>>
>>>> 10.93.0.1 is the Packetfence interface which is running the Radius
>>>> server... here is the netstat:
>>>>
>>>> udp 0 0 10.93.0.1:1812 0.0.0.0:*
>>>>
>>>> udp 0 0 10.93.0.1:1813 0.0.0.0:*
>>>>
>>>> udp 0 0 10.93.0.1:1814 0.0.0.0:*
>>>>
>>>> That is configured with RFC 3576 and useStrongerSecret on the WiSM.
>>>>
>>>> On Fri, Dec 7, 2012 at 11:46 AM, Durand Fabrice <[email protected]>wrote:
>>>>
>>>>> What is this address 10.93.0.1 <http://10.93.0.1:50253> ?
>>>>> Your controller must know 10.93.0.1 as a radius
>>>>> server.<http://10.93.0.1:50253>
>>>>>
>>>>> Regards
>>>>>
>>>>> Le 2012-12-07 14:36, David Schiller a écrit :
>>>>>
>>>>> Hi, thanks... I do have RFC 3576 enabled. I did as you suggested but
>>>>> it didn't seem to work:
>>>>>
>>>>> $ cat pod.txt | radclient -x 10.93.0.252:3799 disconnect
>>>>> useStrongerSecret
>>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>>> Service-Type = Login-User
>>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>>> Service-Type = Login-User
>>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>>> Service-Type = Login-User
>>>>> radclient: no response from server for ID 61 socket 3
>>>>>
>>>>> Interestingly, on the WiSM I am debugging AAA:
>>>>>
>>>>> (WiSM-slot6-1) >
>>>>> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
>>>>> unknown server 10.93.0.1:50253
>>>>> *Dec 07 19:35:48.966: Received a 'RFC-3576 Disconnect-Request' from
>>>>> unknown server 10.93.0.1:50253
>>>>> *Dec 07 19:35:53.971: Received a 'RFC-3576 Disconnect-Request' from
>>>>> unknown server 10.93.0.1:50253
>>>>>
>>>>> So it seems to be getting there...
>>>>>
>>>>>
>>>>> On Fri, Dec 7, 2012 at 7:47 AM, Durand Fabrice <[email protected]>wrote:
>>>>>
>>>>>> Hello David,
>>>>>> First you don´t have to set radius secret in raddb/clients.conf.
>>>>>> Radius is configured to get the clients configuration in packetfence
>>>>>> database.
>>>>>>
>>>>>> You also have to enable RFC 3576 in the controller and you can make a
>>>>>> test by using this command:
>>>>>>
>>>>>> Create a file pod.txt
>>>>>>
>>>>>> Calling-Station-Id = "00:11:22:33:44:55"Service-Type = "Login-User"
>>>>>>
>>>>>> And launch
>>>>>> cat pod.txt | radclient -x 10.93.0.252:3799 disconnect
>>>>>> useStrongerSecret
>>>>>>
>>>>>> Regards
>>>>>> Fabrice
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Le 2012-12-06 16:46, David Schiller a écrit :
>>>>>>
>>>>>> Hi, I am in the process of moving our standalone AP setup to a
>>>>>> LWAPP setup with a Cisco WiSM. I actually have managed to get everything
>>>>>> pretty much working, but one thing I have not been able to figure out is
>>>>>> how to get PF to properly Deauth users once they register, to place them
>>>>>> in
>>>>>> the proper VLAN. If I manually, leave the SSID and come back, then it
>>>>>> makes the switch OK, but we obviously want this to be automated like with
>>>>>> the standalone setup. I am getting this in the packetfence.log:
>>>>>>
>>>>>> Dec 06 14:16:09 pfcmd(19120) INFO: trying to dissociate a wireless
>>>>>> 802.1x user, this might not work depending on hardware support. If its
>>>>>> your
>>>>>> case please file a bug (pf::enforcement::_vlan_reevaluation)
>>>>>> Dec 06 14:16:11 pfsetvlan(21) INFO: local (127.0.0.1) trap for switch
>>>>>> 10.93.0.252 (main::parseTrap)
>>>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
>>>>>> threads running: 0 (main::startTrapHandlers)
>>>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: desAssociate trap received on
>>>>>> 10.93.0.252 for wireless client 00:1e:52:xx:xx:xx (main::handleTrap)
>>>>>> Dec 06 14:16:13 pfcmd_vlan(19129) INFO: wireless deauthentication of
>>>>>> a 802.1x MAC (main::)
>>>>>> Dec 06 14:16:23 pfcmd_vlan(19129) WARN: Unable to perform RADIUS
>>>>>> Disconnect-Request: Timeout waiting for a reply from 10.93.0.252 on port
>>>>>> 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160.
>>>>>> (pf::SNMP::__ANON__)
>>>>>> Dec 06 14:16:23 pfcmd_vlan(19129) ERROR: Wrong RADIUS secret or
>>>>>> unreachable network device... (pf::SNMP::__ANON__)
>>>>>>
>>>>>> It is a little unclear to me whether or not the WiSM uses RADIUS or
>>>>>> SNMP for Deauth... it looks like it is trying RADIUS but I have seen
>>>>>> other
>>>>>> threads that seemed to indicate that this is done with SNMP. I have
>>>>>> double
>>>>>> checked that my shared secret in raddb/clients.conf and in the WiSM
>>>>>> config
>>>>>> is correct. Also, IP connectivity between everything seems to be fine.
>>>>>> I
>>>>>> have this in my switches.conf:
>>>>>>
>>>>>> [10.93.0.252]
>>>>>> mode=production
>>>>>> type=Cisco::WiSM
>>>>>> vlans=92,93,94,95,96
>>>>>> normalVlan=94
>>>>>> isolationVlan=92
>>>>>> radiusSecret=useStrongerSecret
>>>>>> SNMPVersion=1
>>>>>> SNMPCommunityRead=public
>>>>>> SNMPCommunityWrite=private
>>>>>> SNMPVersionTrap=1
>>>>>> SNMPCommunityTrap=public
>>>>>>
>>>>>> One other thing I have noticed, which may or may not be related, is
>>>>>> that in Packetfence under Nodes, before it would show me the IP address
>>>>>> of
>>>>>> the last AP the user was on, but now with the WiSM it only shows the IP
>>>>>> address of the WiSM instead of the particular IP. Can this be fixed? It
>>>>>> is useful to know which AP a user is associated with, and I am wondering
>>>>>> if
>>>>>> this is actually maybe a problem.
>>>>>>
>>>>>> Please let me know if you need more info... thanks,
>>>>>>
>>>>>> David
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>>> Improve your efficiency, and focus on delivering more value-add services
>>>>>> Discover what IT Professionals Know. Rescue
>>>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing
>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>>> www.inverse.ca
>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>>> (http://packetfence.org)
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>>> Improve your efficiency, and focus on delivering more value-add
>>>>>> services
>>>>>> Discover what IT Professionals Know. Rescue delivers
>>>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>> Improve your efficiency, and focus on delivering more value-add services
>>>>> Discover what IT Professionals Know. Rescue
>>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>> Improve your efficiency, and focus on delivering more value-add
>>>>> services
>>>>> Discover what IT Professionals Know. Rescue delivers
>>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue
>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> --
>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue delivers
>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue
>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>> Remotely access PCs and mobile devices and provide instant support
>>> Improve your efficiency, and focus on delivering more value-add services
>>> Discover what IT Professionals Know. Rescue delivers
>>> http://p.sf.net/sfu/logmein_12329d2d
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
