I recommend you to first try with mac-auth (follow http://www.packetfence.org/downloads/PacketFence/doc/PacketFence_Network_Devices_Configuration_Guide-3.6.0.pdf ). Remove what you put in clients.conf, it's useless. After on packetfence server kill radius process and launch it in debug mode. radiusd -d /usr/local/pf/raddb/ -X You could see in the debug that your controller appear in the debug. After try to connect to your SSID , you could see the radius request and the access-accept. On the first time packetfence return the registration vlan , on the pc you fall into the captive portal. Put your username and password and look at pacetfence.log if the deauth work. (you can try with pod.txt with your mac's pc address) If the deauth work you will see another radius request from the controller with an answer with the normal vlan.
The deauth must be set on the management's controller interface. If this workflow is working than you can try with 802.1x. If there is no way with radius deauth than you can try SNMP (just select snmp in deauth method) Courage, you are on the right way. Regards Fabrice Le vendredi 7 décembre 2012 18:22:24, David Schiller a écrit : > FYI, 10.93.0.252 is the WiSM management interface... should this > deauth stuff be sent to the WiSM, or to the Access Point that the user > is associated to? It seems to me like it should go to the AP, because > that's what it was doing in the old setup. > > On Fri, Dec 7, 2012 at 2:46 PM, David Schiller <[email protected] > <mailto:[email protected]>> wrote: > > Actually, disregard this last one, restarting PF fixed that. > > > On Fri, Dec 7, 2012 at 2:40 PM, David Schiller <[email protected] > <mailto:[email protected]>> wrote: > > When I have nothing in raddb/clients.conf, and I have > conf/switches.conf with RadiusSecret=Secret and the matching > secret on the WiSM for AAA Auth config, then it does something > really odd... The initial 802.1x authentication seems to never > complete, but then it gives me an IP in the normal vlan > instead of the registration vlan, and internet access works! > Even though 802.1x never says it's connected on the client.... > > It just seems like it needs the entry in raddb/clients.conf. > > > On Fri, Dec 7, 2012 at 1:30 PM, David Schiller <[email protected] > <mailto:[email protected]>> wrote: > > Here's something weird... I tried deleting my AAA auth > server and recreating it in the CLI instead of through the > webgui... it will not let me set RFC3576: > > (WiSM-slot6-1) >config radius auth rfc3576 enable 1 > Unable to set server's RFC 3576 state. > > > > On Fri, Dec 7, 2012 at 1:23 PM, David Schiller > <[email protected] <mailto:[email protected]>> wrote: > > I have looked through that thread... Can you clear > something up for me? I thought that the Radius shared > secret in PF was defined in raddb/clients.conf and > then on the WiSM in the obvious place. But you say I > can get rid of the entry in raddb/clients.conf, which > I have, and it still works. Where else is it defined > in PF? In switches.conf, it doesn't seem to make a > difference if I have it or not in the definition for > 10.93.0.252... it is still able to do the initial > authentication to associate to the AP. > > > On Fri, Dec 7, 2012 at 1:13 PM, Durand Fabrice > <[email protected] <mailto:[email protected]>> wrote: > > Have you looked this thread > > http://www.mail-archive.com/[email protected]/msg03329.html > It´s look like your problem. > > Regards > > Le 2012-12-07 15:47, David Schiller a écrit : >> Yes... I think the secret here is in the debug >> message: >> >> *Dec 07 19:35:43.962: Received a 'RFC-3576 >> Disconnect-Request' from unknown server >> 10.93.0.1:50253 <http://10.93.0.1:50253> >> >> It says "unknown server", despite the fact that >> it previously does a bunch of aaa stuff just fine >> with 10.93.0.1 to initially associate the user to >> the AP. >> >> Is there some other location where I need to >> define 10.93.0.1 as being OK? >> >> On Fri, Dec 7, 2012 at 12:19 PM, Durand Fabrice >> <[email protected] <mailto:[email protected]>> >> wrote: >> >> Have you removed what you did in clients.conf ? >> Regards >> >> Le 2012-12-07 14:56, David Schiller a écrit : >>> 10.93.0.1 is the Packetfence interface which >>> is running the Radius server... here is the >>> netstat: >>> >>> udp 0 0 10.93.0.1:1812 >>> <http://10.93.0.1:1812> 0.0.0.0:* >>> udp 0 0 10.93.0.1:1813 >>> <http://10.93.0.1:1813> 0.0.0.0:* >>> udp 0 0 10.93.0.1:1814 >>> <http://10.93.0.1:1814> 0.0.0.0:* >>> >>> That is configured with RFC 3576 and >>> useStrongerSecret on the WiSM. >>> >>> On Fri, Dec 7, 2012 at 11:46 AM, Durand >>> Fabrice <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> What is this address 10.93.0.1 >>> <http://10.93.0.1:50253> ? >>> Your controller must know 10.93.0.1 as a >>> radius server. <http://10.93.0.1:50253> >>> >>> Regards >>> >>> Le 2012-12-07 14:36, David Schiller a >>> écrit : >>>> Hi, thanks... I do have RFC 3576 >>>> enabled. I did as you suggested but it >>>> didn't seem to work: >>>> >>>> $ cat pod.txt | radclient -x >>>> 10.93.0.252:3799 >>>> <http://10.93.0.252:3799> disconnect >>>> useStrongerSecret >>>> Sending Disconnect-Request of id 61 to >>>> 10.93.0.252 port 3799 >>>> Calling-Station-Id = >>>> "00:11:22:33:44:55" >>>> Service-Type = Login-User >>>> Sending Disconnect-Request of id 61 to >>>> 10.93.0.252 port 3799 >>>> Calling-Station-Id = >>>> "00:11:22:33:44:55" >>>> Service-Type = Login-User >>>> Sending Disconnect-Request of id 61 to >>>> 10.93.0.252 port 3799 >>>> Calling-Station-Id = >>>> "00:11:22:33:44:55" >>>> Service-Type = Login-User >>>> radclient: no response from server for >>>> ID 61 socket 3 >>>> >>>> Interestingly, on the WiSM I am >>>> debugging AAA: >>>> >>>> (WiSM-slot6-1) > >>>> *Dec 07 19:35:43.962: Received a >>>> 'RFC-3576 Disconnect-Request' from >>>> unknown server 10.93.0.1:50253 >>>> <http://10.93.0.1:50253> >>>> *Dec 07 19:35:48.966: Received a >>>> 'RFC-3576 Disconnect-Request' from >>>> unknown server 10.93.0.1:50253 >>>> <http://10.93.0.1:50253> >>>> *Dec 07 19:35:53.971: Received a >>>> 'RFC-3576 Disconnect-Request' from >>>> unknown server 10.93.0.1:50253 >>>> <http://10.93.0.1:50253> >>>> >>>> So it seems to be getting there... >>>> >>>> >>>> On Fri, Dec 7, 2012 at 7:47 AM, Durand >>>> Fabrice <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hello David, >>>> First you don´t have to set radius >>>> secret in raddb/clients.conf. >>>> Radius is configured to get the >>>> clients configuration in >>>> packetfence database. >>>> >>>> You also have to enable RFC 3576 in >>>> the controller and you can make a >>>> test by using this command: >>>> >>>> Create a file pod.txt >>>> >>>> Calling-Station-Id = "00:11:22:33:44:55" >>>> Service-Type = "Login-User" >>>> >>>> And launch >>>> >>>> cat pod.txt | radclient -x >>>> 10.93.0.252:3799 >>>> <http://10.93.0.252:3799> >>>> disconnect useStrongerSecret >>>> >>>> Regards >>>> Fabrice >>>> >>>> >>>> >>>> >>>> Le 2012-12-06 16:46, David Schiller >>>> a écrit : >>>>> Hi, I am in the process of moving >>>>> our standalone AP setup to a LWAPP >>>>> setup with a Cisco WiSM. I >>>>> actually have managed to get >>>>> everything pretty much working, >>>>> but one thing I have not been able >>>>> to figure out is how to get PF to >>>>> properly Deauth users once they >>>>> register, to place them in the >>>>> proper VLAN. If I manually, leave >>>>> the SSID and come back, then it >>>>> makes the switch OK, but we >>>>> obviously want this to be >>>>> automated like with the standalone >>>>> setup. I am getting this in the >>>>> packetfence.log: >>>>> >>>>> Dec 06 14:16:09 pfcmd(19120) INFO: >>>>> trying to dissociate a wireless >>>>> 802.1x user, this might not work >>>>> depending on hardware support. If >>>>> its your case please file a bug >>>>> (pf::enforcement::_vlan_reevaluation) >>>>> Dec 06 14:16:11 pfsetvlan(21) >>>>> INFO: local (127.0.0.1) trap for >>>>> switch 10.93.0.252 (main::parseTrap) >>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: >>>>> nb of items in queue: 1; nb of >>>>> threads running: 0 >>>>> (main::startTrapHandlers) >>>>> Dec 06 14:16:11 pfsetvlan(1) INFO: >>>>> desAssociate trap received on >>>>> 10.93.0.252 for wireless client >>>>> 00:1e:52:xx:xx:xx (main::handleTrap) >>>>> Dec 06 14:16:13 pfcmd_vlan(19129) >>>>> INFO: wireless deauthentication of >>>>> a 802.1x MAC (main::) >>>>> Dec 06 14:16:23 pfcmd_vlan(19129) >>>>> WARN: Unable to perform RADIUS >>>>> Disconnect-Request: Timeout >>>>> waiting for a reply from >>>>> 10.93.0.252 on port 3799 at >>>>> /usr/local/pf/lib/pf/util/radius.pm >>>>> <http://radius.pm> >>>>> line 160. (pf::SNMP::__ANON__) >>>>> Dec 06 14:16:23 pfcmd_vlan(19129) >>>>> ERROR: Wrong RADIUS secret or >>>>> unreachable network device... >>>>> (pf::SNMP::__ANON__) >>>>> >>>>> It is a little unclear to me >>>>> whether or not the WiSM uses >>>>> RADIUS or SNMP for Deauth... it >>>>> looks like it is trying RADIUS but >>>>> I have seen other threads that >>>>> seemed to indicate that this is >>>>> done with SNMP. I have double >>>>> checked that my shared secret in >>>>> raddb/clients.conf and in the WiSM >>>>> config is correct. Also, IP >>>>> connectivity between everything >>>>> seems to be fine. I have this in >>>>> my switches.conf: >>>>> >>>>> [10.93.0.252] >>>>> mode=production >>>>> type=Cisco::WiSM >>>>> vlans=92,93,94,95,96 >>>>> normalVlan=94 >>>>> isolationVlan=92 >>>>> radiusSecret=useStrongerSecret >>>>> SNMPVersion=1 >>>>> SNMPCommunityRead=public >>>>> SNMPCommunityWrite=private >>>>> SNMPVersionTrap=1 >>>>> SNMPCommunityTrap=public >>>>> >>>>> One other thing I have noticed, >>>>> which may or may not be related, >>>>> is that in Packetfence under >>>>> Nodes, before it would show me the >>>>> IP address of the last AP the user >>>>> was on, but now with the WiSM it >>>>> only shows the IP address of the >>>>> WiSM instead of the particular >>>>> IP. Can this be fixed? It is >>>>> useful to know which AP a user is >>>>> associated with, and I am >>>>> wondering if this is actually >>>>> maybe a problem. >>>>> >>>>> Please let me know if you need >>>>> more info... thanks, >>>>> >>>>> David >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> LogMeIn Rescue: Anywhere, Anytime Remote >>>>> support for IT. Free Trial >>>>> Remotely access PCs and mobile devices >>>>> and provide instant support >>>>> Improve your efficiency, and focus on >>>>> delivering more value-add services >>>>> Discover what IT Professionals Know. >>>>> Rescue delivers >>>>> http://p.sf.net/sfu/logmein_12329d2d >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> [email protected] >>>>> <mailto:[email protected]> >>>>> >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> -- >>>> Fabrice Durand >>>> [email protected] >>>> <mailto:[email protected]> ::+1.514.447.4918 <tel:%2B1.514.447.4918> >>>> (x135) ::www.inverse.ca <http://www.inverse.ca> >>>> Inverse inc. :: Leaders behind SOGo >>>> (http://www.sogo.nu) and PacketFence (http://packetfence.org) >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> LogMeIn Rescue: Anywhere, Anytime >>>> Remote support for IT. Free Trial >>>> Remotely access PCs and mobile >>>> devices and provide instant support >>>> Improve your efficiency, and focus >>>> on delivering more value-add services >>>> Discover what IT Professionals >>>> Know. Rescue delivers >>>> http://p.sf.net/sfu/logmein_12329d2d >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> >>>> <mailto:[email protected]> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> LogMeIn Rescue: Anywhere, Anytime Remote >>>> support for IT. Free Trial >>>> Remotely access PCs and mobile devices and >>>> provide instant support >>>> Improve your efficiency, and focus on >>>> delivering more value-add services >>>> Discover what IT Professionals Know. Rescue >>>> delivers >>>> http://p.sf.net/sfu/logmein_12329d2d >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> <mailto:[email protected]> >>>> >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> -- >>> Fabrice Durand >>> [email protected] <mailto:[email protected]> >>> ::+1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::www.inverse.ca >>> <http://www.inverse.ca> >>> Inverse inc. :: Leaders behind SOGo >>> (http://www.sogo.nu) and PacketFence (http://packetfence.org) >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> LogMeIn Rescue: Anywhere, Anytime Remote >>> support for IT. Free Trial >>> Remotely access PCs and mobile devices >>> and provide instant support >>> Improve your efficiency, and focus on >>> delivering more value-add services >>> Discover what IT Professionals Know. >>> Rescue delivers >>> http://p.sf.net/sfu/logmein_12329d2d >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> LogMeIn Rescue: Anywhere, Anytime Remote support >>> for IT. Free Trial >>> Remotely access PCs and mobile devices and provide >>> instant support >>> Improve your efficiency, and focus on delivering >>> more value-add services >>> Discover what IT Professionals Know. Rescue delivers >>> http://p.sf.net/sfu/logmein_12329d2d >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Fabrice Durand >> [email protected] <mailto:[email protected]> >> ::+1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::www.inverse.ca >> <http://www.inverse.ca> >> Inverse inc. :: Leaders behind SOGo >> (http://www.sogo.nu) and PacketFence (http://packetfence.org) >> >> >> >> ------------------------------------------------------------------------------ >> LogMeIn Rescue: Anywhere, Anytime Remote >> support for IT. Free Trial >> Remotely access PCs and mobile devices and >> provide instant support >> Improve your efficiency, and focus on >> delivering more value-add services >> Discover what IT Professionals Know. Rescue >> delivers >> http://p.sf.net/sfu/logmein_12329d2d >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >> >> >> ------------------------------------------------------------------------------ >> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. >> Free Trial >> Remotely access PCs and mobile devices and provide >> instant support >> Improve your efficiency, and focus on delivering more >> value-add services >> Discover what IT Professionals Know. Rescue delivers >> http://p.sf.net/sfu/logmein_12329d2d >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] <mailto:[email protected]> > ::+1.514.447.4918 <tel:%2B1.514.447.4918> (x135) ::www.inverse.ca > <http://www.inverse.ca> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) > and PacketFence (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support > for IT. Free Trial > Remotely access PCs and mobile devices and provide > instant support > Improve your efficiency, and focus on delivering > more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > > > ------------------------------------------------------------------------------ > LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial > Remotely access PCs and mobile devices and provide instant support > Improve your efficiency, and focus on delivering more value-add services > Discover what IT Professionals Know. Rescue delivers > http://p.sf.net/sfu/logmein_12329d2d > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
