[PacketFence-users] Cisco Aironet 1250 ExtractSsid not working

Tue, 17 Sep 2013 05:36:05 -0700 

Hello all.


Regarding this issue, I've been searching for a while and I did found
others reporting similar issues (same errors in logs) but for some reason
didn't apply to my case.

The environment

PF is in Vlan enforcement mode. Although it's working, I'm aware that's not
the best configuration. I'm still learning :)

Native Vlan = 1
Guest Vlan = 10
Registration Vlan = 11


in PF.CONF

[interface eth1.10]
enforcement=inline
ip=192.168.70.2
type=dhcp-listener
mask=255.255.255.192
gateway=192.168.70.1

[interface eth1.11]
enforcement=vlan
ip=10.10.150.1
type=internal
mask=255.255.255.0


Aironet 1250 config


!
! Last configuration change at 05:51:46 UTC Thu Mar 4 1993
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wifi02
!
logging rate-limit console 9
enable secret XXXXXXXXXXXXXXXXXXXXXXXXX
aaa new-model
!
!
aaa group server radius rad_eap

 server OTHER_RADIUS auth-port 1812 acct-port 1813
 server OTHER_RADIUS auth-port 1812 acct-port 1813
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_acct1
 server OTHER_RADIUS auth-port 1812 acct-port 1813
 server OTHER_RADIUS auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac
 server PACKETFENCESRV auth-port 1812 acct-port 1813
!
aaa group server radius rad_mac3
 server PACKETFENCESRV auth-port 1812 acct-port 1813
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login mac_methods3 group rad_mac3
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network acct_methods1 start-stop group rad_acct1
!
!
!
!
!
aaa session-id common
ip domain name act.XXXXXXXXXX

ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

!
!
dot11 syslog
dot11 vlan-name Guest vlan 10
dot11 vlan-name Registration vlan 11
dot11 vlan-name Voice vlan 100
!
dot11 ssid TWGuest
   vlan 11 backup 10
   authentication open mac-address mac_methods3
   mbssid guest-mode
!
dot11 ssid CORPSECURE
   vlan 1
   authentication open eap eap_methods
   authentication key-management wpa version 2
   accounting acct_methods1
   mbssid guest-mode
!
dot11 ssid CORPVOIP

   vlan 100
   authentication open
   authentication key-management wpa version 2
   wpa-psk ascii 7 HEX_LON_ENC_PASS

!
dot11 aaa csid ietf
crypto pki token default removal timeout 0
!
!
username XXXXXXXX password 7 XXXXXXX

!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 1 mode ciphers aes-ccm tkip
 !
 encryption vlan 100 mode ciphers tkip
 !
 ssid TWGuest
 !
 ssid Tasko
 !
 ssid TaskoV
 !
 antenna gain 0
 mbssid
 speed  11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 world-mode dot11d country-code PT both
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 subscriber-loop-control
 bridge-group 11 spanning-disabled
 bridge-group 11 block-unknown-source
 no bridge-group 11 source-learning
 no bridge-group 11 unicast-flooding
!
interface Dot11Radio0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 subscriber-loop-control
 bridge-group 100 spanning-disabled
 bridge-group 100 block-unknown-source
 no bridge-group 100 source-learning
 no bridge-group 100 unicast-flooding
!
interface Dot11Radio1
 no ip address
 no ip route-cache
 shutdown
 antenna gain 0
 no dfs band block
 speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0
basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8.
m9. m10. m11. m12. m13. m14. m15.
 channel dfs
 station-role root
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.1
 encapsulation dot1Q 1 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10
 no ip route-cache
 bridge-group 10
 bridge-group 10 spanning-disabled
 no bridge-group 10 source-learning
!
interface GigabitEthernet0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 11
 bridge-group 11 spanning-disabled
 no bridge-group 11 source-learning
!
interface GigabitEthernet0.100
 encapsulation dot1Q 100
 no ip route-cache
 bridge-group 100
 bridge-group 100 spanning-disabled
 no bridge-group 100 source-learning
!
interface BVI1
 ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.0
 no ip route-cache
!
ip default-gateway xxx.xxx.xxx.xxx
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server view dot11view ieee802dot11 included
snmp-server community public RO
snmp-server community notpublic RW
snmp-server contact security@
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps aaa_server

snmp-server host PACKETFENCESRV version 2c public  disassociate
deauthenticate authenticate-fail
radius-server attribute 32 include-in-access-req format %h
radius-server host OTHER_RADIUS auth-port 1812 acct-port 1813 key 7 STRONG

radius-server host OTHER_RADIUS auth-port 1812 acct-port 1813 key 7 STRONG

radius-server host PACKETFENCESRV auth-port 1812 acct-port 1813 key 7 STRONG

radius-server deadtime 5
radius-server vsa send accounting
radius-server vsa send authentication
!
bridge 1 route ip
!
!
wlccp wds aaa csid ietf
!
line con 0
line vty 0 4
 transport input all
!
end



Logs from my Mobile Phone wifi connection

I've noted that AP send TWO CISCO-AVPair attributes. Since I don't know if
the last one "overwrite" the first I've searched on how to limit that
information but with no luck.

RADIUSD Debug



rad_recv: Access-Request packet from host 192.168.69.244 port 1645, id=16,
length=173
        User-Name = "0446655af9d5"
        User-Password = "0446655af9d5"
        Called-Station-Id = "00-23-5E-B0-38-00"
        Calling-Station-Id = "04-46-65-5A-F9-D5"
        Cisco-AVPair = "ssid=TWGuest"
        Service-Type = Login-User
        Cisco-AVPair = "service-type=Login"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 260
        NAS-Port-Id = "260"
        NAS-IP-Address = 192.168.69.244
        NAS-Identifier = "wifi02"
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "0446655af9d5", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Calling-Station-Id = 04-46-65-5A-F9-D5
rlm_perl: Added pair Called-Station-Id = 00-23-5E-B0-38-00
rlm_perl: Added pair Cisco-AVPair = ssid=TWGuest
rlm_perl: Added pair Cisco-AVPair = service-type=Login
rlm_perl: Added pair User-Name = 0446655af9d5
rlm_perl: Added pair NAS-Identifier = wifi02
rlm_perl: Added pair User-Password = 0446655af9d5
rlm_perl: Added pair NAS-IP-Address = 192.168.69.244
rlm_perl: Added pair NAS-Port = 260
rlm_perl: Added pair NAS-Port-Id = 260
rlm_perl: Added pair Auth-Type = Accept
++[packetfence] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [0446655af9d5] (from client 192.168.69.244 port 260 cli
04-46-65-5A-F9-D5)
# Executing section post-auth from file
/usr/local/pf/raddb//sites-enabled/packetfence
+- entering group post-auth {...}
++[exec] returns noop
++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25))
? Evaluating !(EAP-Type ) -> TRUE
?? Skipping (EAP-Type != 21 )
?? Skipping (EAP-Type != 25)
++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) -> TRUE
++- entering if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) {...}
rlm_perl: Returning vlan 10 to request from 04:46:65:5a:f9:d5 port 260
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 00-23-5E-B0-38-00
rlm_perl: Added pair Calling-Station-Id = 04-46-65-5A-F9-D5
rlm_perl: Added pair Cisco-AVPair = ssid=TWGuest
rlm_perl: Added pair Cisco-AVPair = service-type=Login
rlm_perl: Added pair User-Name = 0446655af9d5
rlm_perl: Added pair NAS-Identifier = wifi02
rlm_perl: Added pair User-Password = 0446655af9d5
rlm_perl: Added pair NAS-Port = 260
rlm_perl: Added pair NAS-IP-Address = 192.168.69.244
rlm_perl: Added pair NAS-Port-Id = 260
rlm_perl: Added pair Tunnel-Private-Group-ID = 10
rlm_perl: Added pair Tunnel-Type = 13
rlm_perl: Added pair Tunnel-Medium-Type = 6
rlm_perl: Added pair Auth-Type = Accept
+++[packetfence] returns ok
++- if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) returns ok
} # server packetfence
Sending Access-Accept of id 16 to 192.168.69.244 port 1645
        Tunnel-Private-Group-Id:0 = "10"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
Finished request 45.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 45 ID 16 with timestamp +52434
Ready to process requests.


Packerfence.log


Sep 17 09:48:30 pf::WebAPI(1796) INFO: handling radius autz request: from
switch_ip => 192.168.69.244, connection_type => Wireless-802.11-NoEAP mac
=> 04:46:65:5a:f9:d5, port => 260, username => 0446655af9d5
(pf::radius::authorize)
Sep 17 09:48:31 pf::WebAPI(1796) WARN: Unable to extract SSID for module
pf::SNMP::Cisco::Aironet_WDS. SSID-based VLAN assignments won't work. Make
sure you enable Vendor Specific Attributes (VSA) on the AP if you want them
to work. (pf::SNMP::Cisco::Aironet_WDS::extractSsid)
Sep 17 09:48:31 pf::WebAPI(1796) INFO: Username was NOT defined or unable
to match a role - returning node based role 'guest'
(pf::vlan::getNormalVlan)
Sep 17 09:48:31 pf::WebAPI(1796) INFO: MAC: 04:46:65:5a:f9:d5, PID:
convidado, Status: reg. Returned VLAN: 10 (pf::vlan::fetchVlanForNode)
Sep 17 09:48:31 pf::WebAPI(1796) WARN: No parameter guestRole found in
conf/switches.conf for the switch 192.168.69.244 (pf::SNMP::getRoleByName)
Sep 17 09:48:32 pfdhcplistener(4768) INFO: DHCPREQUEST from
04:46:65:5a:f9:d5 (192.168.70.10) (main::parse_dhcp_request)
Sep 17 09:48:32 pfdhcplistener(4768) INFO: 04:46:65:5a:f9:d5 requested an
IP. DHCP Fingerprint: OS::1112 (Samsung Android). Modified node with
last_dhcp = 2013-09-17 09:48:32,computername =
android-cfbfb835f3c74cd4,dhcp_fingerprint = 1,33,3,6,15,28,51,58,59
(main::listen_dhcp)


Any help would be very appreciated.

Best regards,

Pedro

-- 
<a href="http://www.4shared.com/ref/4817829/1";>Join 4Shared Now!</a>

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to