Actually, disregard this last one, restarting PF fixed that.
On Fri, Dec 7, 2012 at 2:40 PM, David Schiller <[email protected]> wrote:
> When I have nothing in raddb/clients.conf, and I have conf/switches.conf
> with RadiusSecret=Secret and the matching secret on the WiSM for AAA Auth
> config, then it does something really odd... The initial 802.1x
> authentication seems to never complete, but then it gives me an IP in the
> normal vlan instead of the registration vlan, and internet access works!
> Even though 802.1x never says it's connected on the client....
>
> It just seems like it needs the entry in raddb/clients.conf.
>
>
> On Fri, Dec 7, 2012 at 1:30 PM, David Schiller <[email protected]> wrote:
>
>> Here's something weird... I tried deleting my AAA auth server and
>> recreating it in the CLI instead of through the webgui... it will not let
>> me set RFC3576:
>>
>> (WiSM-slot6-1) >config radius auth rfc3576 enable 1
>> Unable to set server's RFC 3576 state.
>>
>>
>>
>> On Fri, Dec 7, 2012 at 1:23 PM, David Schiller <[email protected]> wrote:
>>
>>> I have looked through that thread... Can you clear something up for me?
>>> I thought that the Radius shared secret in PF was defined in
>>> raddb/clients.conf and then on the WiSM in the obvious place. But you say
>>> I can get rid of the entry in raddb/clients.conf, which I have, and it
>>> still works. Where else is it defined in PF? In switches.conf, it doesn't
>>> seem to make a difference if I have it or not in the definition for
>>> 10.93.0.252... it is still able to do the initial authentication to
>>> associate to the AP.
>>>
>>>
>>> On Fri, Dec 7, 2012 at 1:13 PM, Durand Fabrice <[email protected]>wrote:
>>>
>>>> Have you looked this thread
>>>> http://www.mail-archive.com/[email protected]/msg03329.html
>>>> It´s look like your problem.
>>>>
>>>> Regards
>>>>
>>>> Le 2012-12-07 15:47, David Schiller a écrit :
>>>>
>>>> Yes... I think the secret here is in the debug message:
>>>>
>>>> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
>>>> unknown server 10.93.0.1:50253
>>>>
>>>> It says "unknown server", despite the fact that it previously does a
>>>> bunch of aaa stuff just fine with 10.93.0.1 to initially associate the user
>>>> to the AP.
>>>>
>>>> Is there some other location where I need to define 10.93.0.1 as being
>>>> OK?
>>>>
>>>> On Fri, Dec 7, 2012 at 12:19 PM, Durand Fabrice <[email protected]>wrote:
>>>>
>>>>> Have you removed what you did in clients.conf ?
>>>>> Regards
>>>>>
>>>>> Le 2012-12-07 14:56, David Schiller a écrit :
>>>>>
>>>>> 10.93.0.1 is the Packetfence interface which is running the Radius
>>>>> server... here is the netstat:
>>>>>
>>>>> udp 0 0 10.93.0.1:1812 0.0.0.0:*
>>>>>
>>>>> udp 0 0 10.93.0.1:1813 0.0.0.0:*
>>>>>
>>>>> udp 0 0 10.93.0.1:1814 0.0.0.0:*
>>>>>
>>>>> That is configured with RFC 3576 and useStrongerSecret on the WiSM.
>>>>>
>>>>> On Fri, Dec 7, 2012 at 11:46 AM, Durand Fabrice <[email protected]>wrote:
>>>>>
>>>>>> What is this address 10.93.0.1 <http://10.93.0.1:50253> ?
>>>>>> Your controller must know 10.93.0.1 as a radius
>>>>>> server.<http://10.93.0.1:50253>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Le 2012-12-07 14:36, David Schiller a écrit :
>>>>>>
>>>>>> Hi, thanks... I do have RFC 3576 enabled. I did as you suggested but
>>>>>> it didn't seem to work:
>>>>>>
>>>>>> $ cat pod.txt | radclient -x 10.93.0.252:3799 disconnect
>>>>>> useStrongerSecret
>>>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>>>> Service-Type = Login-User
>>>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>>>> Service-Type = Login-User
>>>>>> Sending Disconnect-Request of id 61 to 10.93.0.252 port 3799
>>>>>> Calling-Station-Id = "00:11:22:33:44:55"
>>>>>> Service-Type = Login-User
>>>>>> radclient: no response from server for ID 61 socket 3
>>>>>>
>>>>>> Interestingly, on the WiSM I am debugging AAA:
>>>>>>
>>>>>> (WiSM-slot6-1) >
>>>>>> *Dec 07 19:35:43.962: Received a 'RFC-3576 Disconnect-Request' from
>>>>>> unknown server 10.93.0.1:50253
>>>>>> *Dec 07 19:35:48.966: Received a 'RFC-3576 Disconnect-Request' from
>>>>>> unknown server 10.93.0.1:50253
>>>>>> *Dec 07 19:35:53.971: Received a 'RFC-3576 Disconnect-Request' from
>>>>>> unknown server 10.93.0.1:50253
>>>>>>
>>>>>> So it seems to be getting there...
>>>>>>
>>>>>>
>>>>>> On Fri, Dec 7, 2012 at 7:47 AM, Durand Fabrice
>>>>>> <[email protected]>wrote:
>>>>>>
>>>>>>> Hello David,
>>>>>>> First you don´t have to set radius secret in raddb/clients.conf.
>>>>>>> Radius is configured to get the clients configuration in packetfence
>>>>>>> database.
>>>>>>>
>>>>>>> You also have to enable RFC 3576 in the controller and you can make
>>>>>>> a test by using this command:
>>>>>>>
>>>>>>> Create a file pod.txt
>>>>>>>
>>>>>>> Calling-Station-Id = "00:11:22:33:44:55"Service-Type = "Login-User"
>>>>>>>
>>>>>>> And launch
>>>>>>> cat pod.txt | radclient -x 10.93.0.252:3799 disconnect
>>>>>>> useStrongerSecret
>>>>>>>
>>>>>>> Regards
>>>>>>> Fabrice
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 2012-12-06 16:46, David Schiller a écrit :
>>>>>>>
>>>>>>> Hi, I am in the process of moving our standalone AP setup to a
>>>>>>> LWAPP setup with a Cisco WiSM. I actually have managed to get
>>>>>>> everything
>>>>>>> pretty much working, but one thing I have not been able to figure out is
>>>>>>> how to get PF to properly Deauth users once they register, to place
>>>>>>> them in
>>>>>>> the proper VLAN. If I manually, leave the SSID and come back, then it
>>>>>>> makes the switch OK, but we obviously want this to be automated like
>>>>>>> with
>>>>>>> the standalone setup. I am getting this in the packetfence.log:
>>>>>>>
>>>>>>> Dec 06 14:16:09 pfcmd(19120) INFO: trying to dissociate a wireless
>>>>>>> 802.1x user, this might not work depending on hardware support. If its
>>>>>>> your
>>>>>>> case please file a bug (pf::enforcement::_vlan_reevaluation)
>>>>>>> Dec 06 14:16:11 pfsetvlan(21) INFO: local (127.0.0.1) trap for
>>>>>>> switch 10.93.0.252 (main::parseTrap)
>>>>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: nb of items in queue: 1; nb of
>>>>>>> threads running: 0 (main::startTrapHandlers)
>>>>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: desAssociate trap received on
>>>>>>> 10.93.0.252 for wireless client 00:1e:52:xx:xx:xx (main::handleTrap)
>>>>>>> Dec 06 14:16:13 pfcmd_vlan(19129) INFO: wireless deauthentication of
>>>>>>> a 802.1x MAC (main::)
>>>>>>> Dec 06 14:16:23 pfcmd_vlan(19129) WARN: Unable to perform RADIUS
>>>>>>> Disconnect-Request: Timeout waiting for a reply from 10.93.0.252 on port
>>>>>>> 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160.
>>>>>>> (pf::SNMP::__ANON__)
>>>>>>> Dec 06 14:16:23 pfcmd_vlan(19129) ERROR: Wrong RADIUS secret or
>>>>>>> unreachable network device... (pf::SNMP::__ANON__)
>>>>>>>
>>>>>>> It is a little unclear to me whether or not the WiSM uses RADIUS or
>>>>>>> SNMP for Deauth... it looks like it is trying RADIUS but I have seen
>>>>>>> other
>>>>>>> threads that seemed to indicate that this is done with SNMP. I have
>>>>>>> double
>>>>>>> checked that my shared secret in raddb/clients.conf and in the WiSM
>>>>>>> config
>>>>>>> is correct. Also, IP connectivity between everything seems to be fine.
>>>>>>> I
>>>>>>> have this in my switches.conf:
>>>>>>>
>>>>>>> [10.93.0.252]
>>>>>>> mode=production
>>>>>>> type=Cisco::WiSM
>>>>>>> vlans=92,93,94,95,96
>>>>>>> normalVlan=94
>>>>>>> isolationVlan=92
>>>>>>> radiusSecret=useStrongerSecret
>>>>>>> SNMPVersion=1
>>>>>>> SNMPCommunityRead=public
>>>>>>> SNMPCommunityWrite=private
>>>>>>> SNMPVersionTrap=1
>>>>>>> SNMPCommunityTrap=public
>>>>>>>
>>>>>>> One other thing I have noticed, which may or may not be related, is
>>>>>>> that in Packetfence under Nodes, before it would show me the IP address
>>>>>>> of
>>>>>>> the last AP the user was on, but now with the WiSM it only shows the IP
>>>>>>> address of the WiSM instead of the particular IP. Can this be fixed?
>>>>>>> It
>>>>>>> is useful to know which AP a user is associated with, and I am
>>>>>>> wondering if
>>>>>>> this is actually maybe a problem.
>>>>>>>
>>>>>>> Please let me know if you need more info... thanks,
>>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>>>> Improve your efficiency, and focus on delivering more value-add services
>>>>>>> Discover what IT Professionals Know. Rescue
>>>>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing
>>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>>>> www.inverse.ca
>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>> PacketFence (http://packetfence.org)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>>>> Improve your efficiency, and focus on delivering more value-add
>>>>>>> services
>>>>>>> Discover what IT Professionals Know. Rescue delivers
>>>>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>>> Improve your efficiency, and focus on delivering more value-add services
>>>>>> Discover what IT Professionals Know. Rescue
>>>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing
>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>>> www.inverse.ca
>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>>> (http://packetfence.org)
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>>> Improve your efficiency, and focus on delivering more value-add
>>>>>> services
>>>>>> Discover what IT Professionals Know. Rescue delivers
>>>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>> Improve your efficiency, and focus on delivering more value-add services
>>>>> Discover what IT Professionals Know. Rescue
>>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>>> Remotely access PCs and mobile devices and provide instant support
>>>>> Improve your efficiency, and focus on delivering more value-add
>>>>> services
>>>>> Discover what IT Professionals Know. Rescue delivers
>>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue
>>>> delivershttp://p.sf.net/sfu/logmein_12329d2d
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing
>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>>
>>>> --
>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>> www.inverse.ca
>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>> (http://packetfence.org)
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>>>> Remotely access PCs and mobile devices and provide instant support
>>>> Improve your efficiency, and focus on delivering more value-add services
>>>> Discover what IT Professionals Know. Rescue delivers
>>>> http://p.sf.net/sfu/logmein_12329d2d
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>
>>>
>>
>
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
