Thanks for the advice Eric. Is this deauth error likely to be something to do with the roles and authentication sources though? With all due respect I'm not sure whether I'm going down the correct route of troubleshooting here. I am fully prepared to carry on down this route if you or anyone does think it is related.
The error " Error-Cause: Session-Context-Not-Found" is and RFC 3576 states that this error is when the NAS has no record of the request sent to it by the radius server. "Session Context Not Found" is a fatal error sent if the session context identified in the Request does not exist on the NAS." I appreciate that this isn't necessarily PacketFence's problem, it seems to be a mis-communication between the Cisco WLC and the freeradius server, but this list is usually the most helpful when it comes to resolving these sorts of issues. Cheers, Andi -----Original Message----- From: Tedder, Eric [mailto:[email protected]] Sent: 12 March 2014 17:48 To: [email protected] Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] Andi, I use Active directory for my main authentication source so I cant say as to the eduroam setup. I guess I would suggest starting at the lowest level for authentication which is the guest registration portal first. Just get the roles to work with only packetfence built in self guest registration. That will tell you if your wlc is configured and working correctly with radius requests. After that you can make adjustments to adding authentication sources and different ssid profiles for those sources. the guest portal relies on using email verification and so you may need to install a simple smtp on the pf box, for the sms and email. Eric ________________________________ From: Morris, Andi [[email protected]] Sent: Wednesday, March 12, 2014 4:47 AM To: '[email protected]' Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] Hi Eric, I'm using version 4.1 I did use the GUI to make the change, but I always restart the packetfence services when troubleshooting things like this. It's only a dev box so nobody is affected. I cannot seem to get roles to work with my deployment. I need to assign vlans depending on the realm given as the username (this is to be an eduroam setup), but I couldn't find a way to make this happen with the roles/sources route and had to use custom.pl. Thanks for your help, Andi From: Tedder, Eric [mailto:[email protected]] Sent: 11 March 2014 17:25 To: '[email protected]' Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] Andi, Which version of packetfence are you using? (I am using the latest) If you are using the latest then make sure to make your adjustments for the switch in the gui because this also puts the radius key in the mysql database, otherwise you will have to restart packetfence for changes to take. Also you might need to restart the radius service after the key change. I would suggest starting out with using roles and see if you get it working and then move on to the custom.pl file once you have roles working. Eric From: Morris, Andi [mailto:[email protected]] Sent: Tuesday, March 11, 2014 12:28 PM To: '[email protected]' Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] Thanks for the reply Eric, I have edited my shared secret in switches.conf to a very simple one to troubleshoot this. I also edited: ==> Security --> Mac Filtering --> Radius Compatibility mode set to Free Radius and the delimiter is a colon But not: ==> Security --> Authentication --> Call station id type = system mac address and delimiter colon Just yet, as this WLC is also serving live wireless environments, so I don't want to make any global changes that could affect the live system. I am not using Roles, I am setting the normal vlan using a script in custom.pl. RFC3576 is set to enabled on the Radius server, and this radius server is selected in the WLAN settings. AAA override is turned on for the production WLAN. At the moment I only have an interface setup for my isolation network, and this is in the correct vlan. I can see the WLC trying to change the vlan, but the change doesn't happen on the client. Thanks for your help. Andi From: Tedder, Eric [mailto:[email protected]] Sent: 11 March 2014 15:19 To: '[email protected]' Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] I use a 5508 with 7.4.110.0 with packet fence and VLAN management. When I setup my 5508 with packetfence I found that I could not use a radius secret that was longer than 15 characters. If I did it would sometimes just stop working. Also if you are using Role Mapping by Vlan make sure to empty out role mapping by switch. On the wlc I have the following set ==> Security --> Mac Filtering --> Radius Compatibility mode set to Free Radius and the delimiter is a colon ==> Security --> Authentication --> Call station id type = system mac address and delimiter colon Also make sure that rfc 3576 is enabled for your radius server settings. Make sure that you have enabled radius auth on the wlc in the AAA servers section of the WLAN SSID and point it at the packetfence server. The interface for the WLAN-SSID should be the vlan that is for registration and AAA override should be turned on. Eric From: Morris, Andi [mailto:[email protected]] Sent: Tuesday, March 11, 2014 7:55 AM To: '[email protected]' Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] Oh damn, I think this might be affecting me. I'm having trouble getting my wireless clients to transition between my isolation network and my production, and vice-versa. I'm seeing the following in the packetfence.log WARN: Unable to perform RADIUS Disconnect-Request. Disconnect-NAK received with Error-Cause: Session-Context-Not-Found. (pf::SNMP::radiusDisconnect) This is on a Cisco 5508 running 7.4.110.0 Cheers, Andi From: Sallee, Stephen (Jake) [mailto:[email protected]] Sent: 22 November 2013 19:46 To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] That is terrible! Did TAC give any info on when they expect the bug to be closed? Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: Thomas Tsai [mailto:[email protected]] Sent: Thursday, November 21, 2013 1:19 PM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] FYI - I realize this is an older thread, but as a heads up to anyone looking to do rfc3576 (radius deauth) on the WLC. Bug CSCud14147 is now rolled into mainstream 7.5.102.0 code. (released 7/31/2013) Confirmed with Cisco TAC today. From: Derek Wuelfrath [mailto:[email protected]] Sent: Wednesday, August 07, 2013 8:26 AM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 [SOLVED] Jake! Your tha man! Exactly what I thought ;) Glad that you are now on the good side of the matrix ;) Anything else ? :) Cheers! dw. -- Derek Wuelfrath [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and PacketFence (www.packetfence.org<http://www.packetfence.org/>) On 2013-08-07, at 10:56 AM, "Sallee, Stephen (Jake)" <[email protected]<mailto:[email protected]>> wrote: Derek: I beat you to it buddy! The problem was that PF is using one interface for RADIUS and another for the RADIUS-CoA. Once I configured both interfaces as RADIUS servers on the WLC it started working. I had three debug sessions on separate pieces of hardware going at once, watching text fly by ... felt like I was in The Matrix. http://images.wikia.com/anythingeverything/images/5/5c/The_Matrix.gif and then http://images5.fanpop.com/image/photos/31800000/The-Matrix-the-matrix-31832109-500-211.gif and then http://4.bp.blogspot.com/-Bz80e6kWy-g/USUbvD8_B-I/AAAAAAAAKw8/hau1V82mSFQ/s1600/the-one.gif Sorry for the link storm, I'm just so relieved to get this working and pictures relay emotion so much better. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: Derek Wuelfrath [mailto:[email protected]<http://inverse.ca>] Sent: Wednesday, August 07, 2013 9:08 AM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 Can you send me the two following pcap please. 1. A PCAP containing a RADIUS Access-Request from the controller to the PacketFence server 2. A PCAP containing the CoA from the PacketFence server to the controller. I think I know what is the problem :) Derek -- Derek Wuelfrath [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and PacketFence (www.packetfence.org<http://www.packetfence.org/>) On 2013-08-06, at 2:13 PM, "Sallee, Stephen (Jake)" <[email protected]<mailto:[email protected]>> wrote: Yes and it is set to enabled. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU From: Derek Wuelfrath [mailto:[email protected]<http://inverse.ca>] Sent: Tuesday, August 06, 2013 12:31 PM To: [email protected]<mailto:[email protected]> Subject: Re: [PacketFence-users] RADIUS De-Auth on Cisco WLC5508 Jake, Is there any place in the RADIUS server configuration on the WLC mentionning RFC3576 ? Derek -- Derek Wuelfrath [email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110) :: www.inverse.ca<http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and PacketFence (www.packetfence.org<http://www.packetfence.org/>) On 2013-08-05, at 6:21 PM, "Sallee, Stephen (Jake)" <[email protected]<mailto:[email protected]>> wrote: Hello all! I am having a bit of trouble configuring my PF box to do RADIUS-CoA de-auth to my Cisco WLC 5508. I THINK I have everything configured right but I keep getting this error in the logs: Aug 05 16:58:27 pfsetvlan(1) WARN: Unable to perform RADIUS Disconnect-Request: Timeout waiting for a reply from 10.2.1.35 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm line 160. (pf::SNMP::__ANON__) Aug 05 16:58:27 pfsetvlan(1) ERROR: Wrong RADIUS secret or unreachable network device... (pf::SNMP::__ANON__) Aug 05 16:58:27 pfsetvlan(1) INFO: finished (main::cleanupAfterThread) Now, that says I have the wrong RADIUS secret but I have quadruple checked to make sure the secret is correct. I have rebooted both boxes to make sure the changes persist and they do. I have checked the config guide but it doesn't mention anything I need to do on the WLC as far as RADIUS-CoA is concerned. As always, any help is appreciated. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU ------------------------------------------------------------------------------ Get your SQL database under version control now! Version control is standard for application code, but databases havent caught up. So what steps can you take to put your SQL databases under version control? Why should you start doing it? Read more to find out. http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk_______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk_______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users ********************************************** Email Disclaimer: This email, including attachments, may contain proprietary, confidential or privileged information. If you are not the intended recipient, please (i) do not use, disclose, save or retransmit this message or any attachments, (ii) alert the sender by reply email and (iii) destroy or delete this message and any attachments. Delivery of this email to a person other than the intended recipient(s) shall not constitute a waiver of privilege or confidentiality. CP Investments, member FINRA and SIPC, serves as placement agent for investment products advised by Canyon Capital Advisors LLC. This email is not intended to be an offer to sell or a solicitation of an offer to buy any security in any jurisdiction. We review and retain electronic communications traveling through our network. ********************************************** ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
