Hello Pedro
Can you edit the /usr/local/pf/lib/SNMP/Cisco/Aironet_WDS.pm file and add the
following:
in sub extractSsid, just after the "my $logger … " line (at line 204 if you use
latest version of PacketFence), add the following two lines
use Data::Dumper;
$logger->info("PACKETFENCE DEBUGGING: " . Dump($radius_request));
Then, restart PacketFence and retry. Paste the relevant log output.
Cheers!
dw.
--
Derek Wuelfrath
[email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 2013-09-17, at 5:33 AM, "Pedro, Tavares" <[email protected]> wrote:
> Hello all.
>
>
> Regarding this issue, I've been searching for a while and I did found others
> reporting similar issues (same errors in logs) but for some reason didn't
> apply to my case.
>
> The environment
>
> PF is in Vlan enforcement mode. Although it's working, I'm aware that's not
> the best configuration. I'm still learning :)
>
> Native Vlan = 1
> Guest Vlan = 10
> Registration Vlan = 11
>
>
> in PF.CONF
>
> [interface eth1.10]
> enforcement=inline
> ip=192.168.70.2
> type=dhcp-listener
> mask=255.255.255.192
> gateway=192.168.70.1
>
> [interface eth1.11]
> enforcement=vlan
> ip=10.10.150.1
> type=internal
> mask=255.255.255.0
>
>
> Aironet 1250 config
>
> !
> ! Last configuration change at 05:51:46 UTC Thu Mar 4 1993
> version 15.2
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname wifi02
> !
> logging rate-limit console 9
> enable secret XXXXXXXXXXXXXXXXXXXXXXXXX
> aaa new-model
> !
> !
> aaa group server radius rad_eap
> server OTHER_RADIUS auth-port 1812 acct-port 1813
> server OTHER_RADIUS auth-port 1812 acct-port 1813
> !
> aaa group server radius rad_acct
> !
> aaa group server radius rad_admin
> !
> aaa group server tacacs+ tac_admin
> !
> aaa group server radius rad_pmip
> !
> aaa group server radius dummy
> !
> aaa group server radius rad_acct1
> server OTHER_RADIUS auth-port 1812 acct-port 1813
> server OTHER_RADIUS auth-port 1812 acct-port 1813
> !
> aaa group server radius rad_mac
> server PACKETFENCESRV auth-port 1812 acct-port 1813
> !
> aaa group server radius rad_mac3
> server PACKETFENCESRV auth-port 1812 acct-port 1813
> !
> aaa authentication login default local
> aaa authentication login eap_methods group rad_eap
> aaa authentication login mac_methods local
> aaa authentication login mac_methods3 group rad_mac3
> aaa authorization exec default local
> aaa accounting network acct_methods start-stop group rad_acct
> aaa accounting network acct_methods1 start-stop group rad_acct1
> !
> !
> !
> !
> !
> aaa session-id common
> ip domain name act.XXXXXXXXXX
> ip name-server xxx.xxx.xxx.xxx
> ip name-server xxx.xxx.xxx.xxx
> !
> !
> dot11 syslog
> dot11 vlan-name Guest vlan 10
> dot11 vlan-name Registration vlan 11
> dot11 vlan-name Voice vlan 100
> !
> dot11 ssid TWGuest
> vlan 11 backup 10
> authentication open mac-address mac_methods3
> mbssid guest-mode
> !
> dot11 ssid CORPSECURE
> vlan 1
> authentication open eap eap_methods
> authentication key-management wpa version 2
> accounting acct_methods1
> mbssid guest-mode
> !
> dot11 ssid CORPVOIP
> vlan 100
> authentication open
> authentication key-management wpa version 2
> wpa-psk ascii 7 HEX_LON_ENC_PASS
> !
> dot11 aaa csid ietf
> crypto pki token default removal timeout 0
> !
> !
> username XXXXXXXX password 7 XXXXXXX
> !
> !
> bridge irb
> !
> !
> interface Dot11Radio0
> no ip address
> no ip route-cache
> !
> encryption vlan 1 mode ciphers aes-ccm tkip
> !
> encryption vlan 100 mode ciphers tkip
> !
> ssid TWGuest
> !
> ssid Tasko
> !
> ssid TaskoV
> !
> antenna gain 0
> mbssid
> speed 11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
> station-role root
> world-mode dot11d country-code PT both
> no cdp enable
> !
> interface Dot11Radio0.1
> encapsulation dot1Q 1 native
> no ip route-cache
> bridge-group 1
> bridge-group 1 subscriber-loop-control
> bridge-group 1 spanning-disabled
> bridge-group 1 block-unknown-source
> no bridge-group 1 source-learning
> no bridge-group 1 unicast-flooding
> !
> interface Dot11Radio0.10
> encapsulation dot1Q 10
> no ip route-cache
> bridge-group 10
> bridge-group 10 subscriber-loop-control
> bridge-group 10 spanning-disabled
> bridge-group 10 block-unknown-source
> no bridge-group 10 source-learning
> no bridge-group 10 unicast-flooding
> !
> interface Dot11Radio0.11
> encapsulation dot1Q 11
> no ip route-cache
> bridge-group 11
> bridge-group 11 subscriber-loop-control
> bridge-group 11 spanning-disabled
> bridge-group 11 block-unknown-source
> no bridge-group 11 source-learning
> no bridge-group 11 unicast-flooding
> !
> interface Dot11Radio0.100
> encapsulation dot1Q 100
> no ip route-cache
> bridge-group 100
> bridge-group 100 subscriber-loop-control
> bridge-group 100 spanning-disabled
> bridge-group 100 block-unknown-source
> no bridge-group 100 source-learning
> no bridge-group 100 unicast-flooding
> !
> interface Dot11Radio1
> no ip address
> no ip route-cache
> shutdown
> antenna gain 0
> no dfs band block
> speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0
> basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12.
> m13. m14. m15.
> channel dfs
> station-role root
> no cdp enable
> bridge-group 1
> bridge-group 1 subscriber-loop-control
> bridge-group 1 spanning-disabled
> bridge-group 1 block-unknown-source
> no bridge-group 1 source-learning
> no bridge-group 1 unicast-flooding
> !
> interface GigabitEthernet0
> no ip address
> no ip route-cache
> duplex auto
> speed auto
> !
> interface GigabitEthernet0.1
> encapsulation dot1Q 1 native
> no ip route-cache
> bridge-group 1
> bridge-group 1 spanning-disabled
> no bridge-group 1 source-learning
> !
> interface GigabitEthernet0.10
> encapsulation dot1Q 10
> no ip route-cache
> bridge-group 10
> bridge-group 10 spanning-disabled
> no bridge-group 10 source-learning
> !
> interface GigabitEthernet0.11
> encapsulation dot1Q 11
> no ip route-cache
> bridge-group 11
> bridge-group 11 spanning-disabled
> no bridge-group 11 source-learning
> !
> interface GigabitEthernet0.100
> encapsulation dot1Q 100
> no ip route-cache
> bridge-group 100
> bridge-group 100 spanning-disabled
> no bridge-group 100 source-learning
> !
> interface BVI1
> ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.0
> no ip route-cache
> !
> ip default-gateway xxx.xxx.xxx.xxx
> ip http server
> no ip http secure-server
> ip http help-path
> http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
> ip radius source-interface BVI1
> access-list 111 permit tcp any any neq telnet
> snmp-server view dot11view ieee802dot11 included
> snmp-server community public RO
> snmp-server community notpublic RW
> snmp-server contact security@
> snmp-server enable traps disassociate
> snmp-server enable traps deauthenticate
> snmp-server enable traps authenticate-fail
> snmp-server enable traps dot11-qos
> snmp-server enable traps switch-over
> snmp-server enable traps rogue-ap
> snmp-server enable traps wlan-wep
> snmp-server enable traps aaa_server
> snmp-server host PACKETFENCESRV version 2c public disassociate
> deauthenticate authenticate-fail
> radius-server attribute 32 include-in-access-req format %h
> radius-server host OTHER_RADIUS auth-port 1812 acct-port 1813 key 7 STRONG
> radius-server host OTHER_RADIUS auth-port 1812 acct-port 1813 key 7 STRONG
> radius-server host PACKETFENCESRV auth-port 1812 acct-port 1813 key 7 STRONG
> radius-server deadtime 5
> radius-server vsa send accounting
> radius-server vsa send authentication
> !
> bridge 1 route ip
> !
> !
> wlccp wds aaa csid ietf
> !
> line con 0
> line vty 0 4
> transport input all
> !
> end
>
>
> Logs from my Mobile Phone wifi connection
>
> I've noted that AP send TWO CISCO-AVPair attributes. Since I don't know if
> the last one "overwrite" the first I've searched on how to limit that
> information but with no luck.
>
> RADIUSD Debug
>
>
>
> rad_recv: Access-Request packet from host 192.168.69.244 port 1645, id=16,
> length=173
> User-Name = "0446655af9d5"
> User-Password = "0446655af9d5"
> Called-Station-Id = "00-23-5E-B0-38-00"
> Calling-Station-Id = "04-46-65-5A-F9-D5"
> Cisco-AVPair = "ssid=TWGuest"
> Service-Type = Login-User
> Cisco-AVPair = "service-type=Login"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 260
> NAS-Port-Id = "260"
> NAS-IP-Address = 192.168.69.244
> NAS-Identifier = "wifi02"
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group authorize {...}
> [suffix] No '@' in User-Name = "0446655af9d5", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[preprocess] returns ok
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> [files] users: Matched entry DEFAULT at line 1
> ++[files] returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Login-User
> rlm_perl: Added pair Calling-Station-Id = 04-46-65-5A-F9-D5
> rlm_perl: Added pair Called-Station-Id = 00-23-5E-B0-38-00
> rlm_perl: Added pair Cisco-AVPair = ssid=TWGuest
> rlm_perl: Added pair Cisco-AVPair = service-type=Login
> rlm_perl: Added pair User-Name = 0446655af9d5
> rlm_perl: Added pair NAS-Identifier = wifi02
> rlm_perl: Added pair User-Password = 0446655af9d5
> rlm_perl: Added pair NAS-IP-Address = 192.168.69.244
> rlm_perl: Added pair NAS-Port = 260
> rlm_perl: Added pair NAS-Port-Id = 260
> rlm_perl: Added pair Auth-Type = Accept
> ++[packetfence] returns noop
> Found Auth-Type = Accept
> Auth-Type = Accept, accepting the user
> Login OK: [0446655af9d5] (from client 192.168.69.244 port 260 cli
> 04-46-65-5A-F9-D5)
> # Executing section post-auth from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +- entering group post-auth {...}
> ++[exec] returns noop
> ++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25))
> ? Evaluating !(EAP-Type ) -> TRUE
> ?? Skipping (EAP-Type != 21 )
> ?? Skipping (EAP-Type != 25)
> ++? if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) -> TRUE
> ++- entering if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) {...}
> rlm_perl: Returning vlan 10 to request from 04:46:65:5a:f9:d5 port 260
> rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Login-User
> rlm_perl: Added pair Called-Station-Id = 00-23-5E-B0-38-00
> rlm_perl: Added pair Calling-Station-Id = 04-46-65-5A-F9-D5
> rlm_perl: Added pair Cisco-AVPair = ssid=TWGuest
> rlm_perl: Added pair Cisco-AVPair = service-type=Login
> rlm_perl: Added pair User-Name = 0446655af9d5
> rlm_perl: Added pair NAS-Identifier = wifi02
> rlm_perl: Added pair User-Password = 0446655af9d5
> rlm_perl: Added pair NAS-Port = 260
> rlm_perl: Added pair NAS-IP-Address = 192.168.69.244
> rlm_perl: Added pair NAS-Port-Id = 260
> rlm_perl: Added pair Tunnel-Private-Group-ID = 10
> rlm_perl: Added pair Tunnel-Type = 13
> rlm_perl: Added pair Tunnel-Medium-Type = 6
> rlm_perl: Added pair Auth-Type = Accept
> +++[packetfence] returns ok
> ++- if (!EAP-Type || (EAP-Type != 21 && EAP-Type != 25)) returns ok
> } # server packetfence
> Sending Access-Accept of id 16 to 192.168.69.244 port 1645
> Tunnel-Private-Group-Id:0 = "10"
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Finished request 45.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 45 ID 16 with timestamp +52434
> Ready to process requests.
>
>
> Packerfence.log
>
>
> Sep 17 09:48:30 pf::WebAPI(1796) INFO: handling radius autz request: from
> switch_ip => 192.168.69.244, connection_type => Wireless-802.11-NoEAP mac =>
> 04:46:65:5a:f9:d5, port => 260, username => 0446655af9d5
> (pf::radius::authorize)
> Sep 17 09:48:31 pf::WebAPI(1796) WARN: Unable to extract SSID for module
> pf::SNMP::Cisco::Aironet_WDS. SSID-based VLAN assignments won't work. Make
> sure you enable Vendor Specific Attributes (VSA) on the AP if you want them
> to work. (pf::SNMP::Cisco::Aironet_WDS::extractSsid)
> Sep 17 09:48:31 pf::WebAPI(1796) INFO: Username was NOT defined or unable to
> match a role - returning node based role 'guest' (pf::vlan::getNormalVlan)
> Sep 17 09:48:31 pf::WebAPI(1796) INFO: MAC: 04:46:65:5a:f9:d5, PID:
> convidado, Status: reg. Returned VLAN: 10 (pf::vlan::fetchVlanForNode)
> Sep 17 09:48:31 pf::WebAPI(1796) WARN: No parameter guestRole found in
> conf/switches.conf for the switch 192.168.69.244 (pf::SNMP::getRoleByName)
> Sep 17 09:48:32 pfdhcplistener(4768) INFO: DHCPREQUEST from 04:46:65:5a:f9:d5
> (192.168.70.10) (main::parse_dhcp_request)
> Sep 17 09:48:32 pfdhcplistener(4768) INFO: 04:46:65:5a:f9:d5 requested an IP.
> DHCP Fingerprint: OS::1112 (Samsung Android). Modified node with last_dhcp =
> 2013-09-17 09:48:32,computername = android-cfbfb835f3c74cd4,dhcp_fingerprint
> = 1,33,3,6,15,28,51,58,59 (main::listen_dhcp)
>
>
> Any help would be very appreciated.
>
> Best regards,
>
> Pedro
>
> --
> <a href="http://www.4shared.com/ref/4817829/1";>Join 4Shared Now!</a>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
