Here is the output:
rad_recv: Access-Request packet from host 172.31.255.20 port 32768, id=67,
length=186
User-Name = "a0:88:b4:17:73:a4"
Called-Station-Id = "00-27-0d-4a-77-b0:DUGuest-Test"
Calling-Station-Id = "a0-88-b4-17-73-a4"
NAS-Port = 1
NAS-IP-Address = 172.31.255.20
NAS-Identifier = "dial2504-wlc-test"
Airespace-Wlan-Id = 4
User-Password = “supersecretpassword"
Service-Type = Call-Check
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "500"
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "a0:88:b4:17:73:a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++[preprocess] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 172.31.255.20
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Calling-Station-Id = a0-88-b4-17-73-a4
rlm_perl: Added pair Called-Station-Id = 00-27-0d-4a-77-b0:DUGuest-Test
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.31.255.20
rlm_perl: Added pair Airespace-Wlan-Id = 4
rlm_perl: Added pair User-Name = a0:88:b4:17:73:a4
rlm_perl: Added pair NAS-Identifier = dial2504-wlc-test
rlm_perl: Added pair User-Password = p@ck3tf3nc3
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair NAS-IP-Address = 172.31.255.20
rlm_perl: Added pair Tunnel-Private-Group-Id = 500
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
++[packetfence] = noop
+} # group authorize = ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [a0:88:b4:17:73:a4] (from client 172.31.255.20 port 1 cli
a0-88-b4-17-73-a4)
} # server packetfence
# Executing section post-auth from file
/usr/local/pf/raddb/sites-enabled/packetfence
+group post-auth {
++[exec] = noop
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP))
? Evaluating !(EAP-Type ) -> TRUE
?? Skipping (EAP-Type != EAP-TTLS )
?? Skipping (EAP-Type != PEAP)
++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE
++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) {
+++update control {
+++} # update control = noop
rlm_perl: request from a0:88:b4:17:73:a4 port 1 was accepted but no VLAN
returned. This could be normal. See server logs for details.
rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK)
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Call-Check
rlm_perl: Added pair Tunnel-Type = VLAN
rlm_perl: Added pair Tunnel-Medium-Type = IEEE-802
rlm_perl: Added pair Called-Station-Id = 00-27-0d-4a-77-b0:DUGuest-Test
rlm_perl: Added pair Calling-Station-Id = a0-88-b4-17-73-a4
rlm_perl: Added pair Airespace-Wlan-Id = 4
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 172.31.255.20
rlm_perl: Added pair User-Name = a0:88:b4:17:73:a4
rlm_perl: Added pair User-Password = p@ck3tf3nc3
rlm_perl: Added pair NAS-Identifier = dial2504-wlc-test
rlm_perl: Added pair NAS-IP-Address = 172.31.255.20
rlm_perl: Added pair NAS-Port = 1
rlm_perl: Added pair Framed-MTU = 1300
rlm_perl: Added pair Tunnel-Private-Group-Id = 500
rlm_perl: Added pair Airespace-ACL-Name = PreAuth4WebRedirect
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair Auth-Type = Accept
rlm_perl: Added pair PacketFence-RPC-Port = 9090
+++[packetfence] = ok
++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok
+} # group post-auth = ok
Sending Access-Accept of id 67 to 172.31.255.20 port 32768
Airespace-ACL-Name = "PreAuth4WebRedirect"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 67 with timestamp +21
Ready to process requests.
Thanks,
_______________________________________
Chris Mielke | Lead, ISS Network Systems
Drake Technology Services (DTS) | Drake University
T 515.271.4640
E [email protected]
On 10/23/14, 5:00 PM, "Durand fabrice" <[email protected]> wrote:
>Ok so in a perfect world AAA URL redirect should be something like
>http://192.168.254.1/cep....
>
>Can you run freeradius in debug mode:
>
>pkill radiusd
>radiusd -d /usr/local/pf/raddb -X
>
>and paste what is the debug when you try to connect.
>
>
>Regards
>Fabrice
>
>Le 2014-10-23 15:14, Christopher Mielke a écrit :
>> Here is the output:
>>
>> show client detail a088b41773a4
>> Client MAC Address............................... a0:88:b4:17:73:a4
>> Client Username ................................. N/A
>> AP MAC Address................................... 00:27:0d:4a:77:b0
>> AP Name.......................................... dial1142wap-test
>> AP radio slot Id................................. 0
>> Client State..................................... Associated
>> Client NAC OOB State............................. Access
>> Wireless LAN Id.................................. 4
>> Hotspot (802.11u)................................ Not Supported
>> BSSID............................................ 00:27:0d:4a:77:b3
>> Connected For ................................... 36 secs
>> Channel.......................................... 1
>> IP Address....................................... Unknown
>> Gateway Address.................................. Unknown
>> Netmask.......................................... Unknown
>> IPv6 Address.....................................
>>fe80::bc0b:5c58:e766:93de
>> Association Id................................... 1
>> Authentication Algorithm......................... Open System
>> Reason Code...................................... 1
>> Status Code...................................... 0
>> Session Timeout.................................. 1800
>> Client CCX version............................... 4
>> Client E2E version............................... 1
>> QoS Level........................................ Silver
>> Avg data Rate.................................... 0
>> Burst data Rate.................................. 0
>> Avg Real time data Rate.......................... 0
>> Burst Real Time data Rate........................ 0
>> 802.1P Priority Tag.............................. disabled
>> CTS Security Group Tag........................... Not Applicable
>> KTS CAC Capability............................... No
>> WMM Support...................................... Enabled
>> APSD ACs....................................... BK BE VI VO
>> Power Save....................................... OFF
>> Current Rate..................................... 54.0
>> Supported Rates..................................
>>12.0,18.0,24.0,36.0,48.0,
>> ............................................. 54.0
>> Mobility State................................... Local
>> Mobility Move Count.............................. 0
>> Security Policy Completed........................ Yes
>> Policy Manager State............................. RUN
>> Policy Manager Rule Created...................... Yes
>> AAA Override ACL Name............................ none
>> AAA Override ACL Applied Status.................. Unavailable
>> AAA Override Flex ACL Name....................... none
>> AAA Override Flex ACL Applied Status............. Unavailable
>> AAA URL redirect................................. none
>> Audit Session ID.................................
>>ac1fff1400000016544952a8
>> AAA Role Type.................................... none
>> Local Policy Applied............................. none
>> IPv4 ACL Name.................................... PreAuth4WebRedirect
>> FlexConnect ACL Applied Status................... Unavailable
>> IPv4 ACL Applied Status.......................... Yes
>> IPv6 ACL Name.................................... none
>> IPv6 ACL Applied Status.......................... Unavailable
>> Layer2 ACL Name.................................. none
>> Layer2 ACL Applied Status........................ Unavailable
>> mDNS Status...................................... Enabled
>> mDNS Profile Name................................ default-mdns-profile
>> No. of mDNS Services Advertised.................. 0
>> Policy Type...................................... N/A
>> Encryption Cipher................................ None
>> Protected Management Frame ...................... No
>> Management Frame Protection...................... No
>> EAP Type......................................... Unknown
>> Interface........................................ guest-wl
>> VLAN............................................. 500
>> Quarantine VLAN.................................. 0
>> Access VLAN...................................... 500
>> Client Capabilities:
>> CF Pollable................................ Not implemented
>> CF Poll Request............................ Not implemented
>> Short Preamble............................. Implemented
>> PBCC....................................... Not implemented
>> Channel Agility............................ Not implemented
>> Listen Interval............................ 90
>> Fast BSS Transition........................ Not implemented
>> Client Wifi Direct Capabilities:
>> WFD capable................................ No
>> Manged WFD capable......................... No
>> Cross Connection Capable................... No
>> Support Concurrent Operation............... No
>> Fast BSS Transition Details:
>> Client Statistics:
>> Number of Bytes Received................... 12120
>> Number of Bytes Sent....................... 0
>> Total Number of Bytes Sent................. 0
>> Total Number of Bytes Recv................. 12120
>> Number of Bytes Sent (last 90s)............ 0
>> Number of Bytes Recv (last 90s)............ 12120
>> Number of Packets Received................. 126
>> Number of Packets Sent..................... 0
>> Number of Interim-Update Sent.............. 0
>> Number of EAP Id Request Msg Timeouts...... 0
>> Number of EAP Id Request Msg Failures...... 0
>> Number of EAP Request Msg Timeouts......... 0
>> Number of EAP Request Msg Failures......... 0
>> Number of EAP Key Msg Timeouts............. 0
>> Number of EAP Key Msg Failures............. 0
>> Number of Data Retries..................... 0
>> Number of RTS Retries...................... 0
>> Number of Duplicate Received Packets....... 0
>> Number of Decrypt Failed Packets........... 0
>> Number of Mic Failured Packets............. 0
>> Number of Mic Missing Packets.............. 0
>> Number of RA Packets Dropped............... 0
>> Number of Policy Errors.................... 0
>> Radio Signal Strength Indicator............ -67 dBm
>> Signal to Noise Ratio...................... 25 dB
>> Client Rate Limiting Statistics:
>> Number of Data Packets Recieved............ 0
>> Number of Data Rx Packets Dropped.......... 0
>> Number of Data Bytes Recieved.............. 0
>> Number of Data Rx Bytes Dropped............ 0
>> Number of Realtime Packets Recieved........ 0
>> Number of Realtime Rx Packets Dropped...... 0
>> Number of Realtime Bytes Recieved.......... 0
>> Number of Realtime Rx Bytes Dropped........ 0
>> Number of Data Packets Sent................ 0
>> Number of Data Tx Packets Dropped.......... 0
>> Number of Data Bytes Sent.................. 0
>> Number of Data Tx Bytes Dropped............ 0
>> Number of Realtime Packets Sent............ 0
>> Number of Realtime Tx Packets Dropped...... 0
>> Number of Realtime Bytes Sent.............. 0
>> Number of Realtime Tx Bytes Dropped........ 0
>> Nearby AP Statistics:
>> dial1142wap-test(slot 0)
>> antenna0: 36 secs ago.................... -64 dBm
>> antenna1: 36 secs ago.................... -66 dBm
>> dial1142wap-test(slot 1)
>> antenna0: 112 secs ago................... -77 dBm
>> antenna1: 112 secs ago................... -77 dBm
>> DNS Server details:
>> DNS server IP ............................. 0.0.0.0
>> DNS server IP ............................. 0.0.0.0
>> Assisted Roaming Prediction List details:
>>
>> Client Dhcp Required: True
>> Allowed (URL)IP Addresses
>> -------------------------
>>
>>
>>
>>
>>
>>
>> Thanks,
>> _______________________________________
>> Chris Mielke | Lead, ISS Network Systems
>> Drake Technology Services (DTS) | Drake University
>>
>> T 515.271.4640
>> E [email protected]
>>
>>
>>
>>
>> On 10/23/14, 1:57 PM, "Fabrice DURAND" <[email protected]> wrote:
>>
>>> Strange it doesn´t detect that it´s a wlc redirection.
>>> Can you paste a sh client @mac (wlc) ?
>>>
>>> Regards
>>> Fabrice
>>>
>>> Le 2014-10-23 14:35, Christopher Mielke a écrit :
>>>> I didn’t try to ping because of the ACL, but I was able to telnet to
>>>>the
>>>> server on port 80. When I open a browser it tries to redirect to
>>>>
>>>>
>>>>“https://pf.drake.edu/captive-portal?destination_url=http://192.168.254
>>>>.1
>>>> 0/
>>>> &”, but then it times out.
>>>>
>>>> Thanks,
>>>> _______________________________________
>>>> Chris Mielke | Lead, ISS Network Systems
>>>> Drake Technology Services (DTS) | Drake University
>>>>
>>>> T 515.271.4640
>>>> E [email protected]
>>>>
>>>>
>>>>
>>>>
>>>> On 10/23/14, 12:39 PM, "Fabrice DURAND" <[email protected]> wrote:
>>>>
>>>>> Yes this is correct but are you able to ping the portal ip address ?
>>>>> (Also change the acl to allow icmp)
>>>>>
>>>>> Fabrice
>>>>>
>>>>> Le 2014-10-23 12:36, Christopher Mielke a écrit :
>>>>>> Sorry it took so long to respond. I had to rebuild my test
>>>>>> environment.
>>>>>> I
>>>>>> am able to connect to the SSID and on the wlc I can see the
>>>>>>“PreAuth”
>>>>>> access-list is being applied. However, when I open a web browser I
>>>>>>do
>>>>>> not
>>>>>> get to the captive portal. I am pointing to production DNS right
>>>>>>now.
>>>>>> Is
>>>>>> that correct?
>>>>>>
>>>>>> Thanks,
>>>>>> _______________________________________
>>>>>> Chris Mielke | Lead, ISS Network Systems
>>>>>> Drake Technology Services (DTS) | Drake University
>>>>>>
>>>>>> T 515.271.4640
>>>>>> E [email protected]
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 10/15/14, 12:23 PM, "Fabrice DURAND" <[email protected]> wrote:
>>>>>>
>>>>>>> Hello Christopher,
>>>>>>>
>>>>>>> it depend of your network configuration, but you can use an alias
>>>>>>> (eth0:1) as the ip address of the captive portal.
>>>>>>>
>>>>>>> But let´s start with a simple config, in packetfence create a
>>>>>>> management
>>>>>>> interface, registration interface and a isolation interface.
>>>>>>>
>>>>>>> The registration interface must be able to talk with the wlc and
>>>>>>>the
>>>>>>> devices connected on and don´t forget to disable dhcp on the reg
>>>>>>> interface.
>>>>>>> So on the wlc side configure an ACL (Pre-Auth-For-WebRedirect) that
>>>>>>> forward the traffic to the ip address of the registration interface
>>>>>>> and
>>>>>>> configure another ACL (Authorize_any) to allow any any and
>>>>>>>configure
>>>>>>> the
>>>>>>> WLC to be the dhcp server for the client.
>>>>>>>
>>>>>>> Then try to connect on the ssid and check the status of the client
>>>>>>>in
>>>>>>> the WLC, if all is ok you will be able to see that the ACL applied
>>>>>>>to
>>>>>>> the client is the Pre-Auth-For-WebRedirect.
>>>>>>>
>>>>>>> Let me know if it´s ok.
>>>>>>>
>>>>>>> Regards
>>>>>>> Fabrice
>>>>>>>
>>>>>>> Le 2014-10-14 17:49, Christopher Mielke a écrit :
>>>>>>>> I am completely new to PacketFence and trying to set up WebAuth
>>>>>>>>for
>>>>>>>> a
>>>>>>>> guest SSID using a Cisco WLC running 7.6.130.0. I have installed
>>>>>>>> PacketFence ZEN 4.4.1 and have it running. I am trying to follow
>>>>>>>>the
>>>>>>>> instructions for ³Wireless LAN Controller (WLC) Web Auth² from the
>>>>>>>> network
>>>>>>>> configuration guide, but I¹m confused about the captive portal
>>>>>>>> configuration. In the guide it says the captive portal is using IP
>>>>>>>> address
>>>>>>>> 172.16.0.250 and the administration (I presume management)
>>>>>>>>interface
>>>>>>>> uses
>>>>>>>> IP address 172.16.0.249. How do I set up a captive portal IP
>>>>>>>>address
>>>>>>>> in
>>>>>>>> the same subnet as the management IP address? I apparently cannot
>>>>>>>> use
>>>>>>>> the
>>>>>>>> management IP for the captive portal because iptables blocks
>>>>>>>>HTTP(S)
>>>>>>>> traffic to that IP address because it is in the
>>>>>>>> ³input-management-if²
>>>>>>>> chain.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Chris
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>-------------------------------------------------------------------
>>>>>>>>--
>>>>>>>> --
>>>>>>>> --
>>>>>>>> -----
>>>>>>>> Comprehensive Server Monitoring with Site24x7.
>>>>>>>> Monitor 10 servers for $9/Month.
>>>>>>>> Get alerted through email, SMS, voice calls or mobile push
>>>>>>>> notifications.
>>>>>>>> Take corrective actions from your mobile device.
>>>>>>>> http://p.sf.net/sfu/Zoho
>>>>>>>> _______________________________________________
>>>>>>>> PacketFence-users mailing list
>>>>>>>> [email protected]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>> --
>>>>>>> Fabrice Durand
>>>>>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>>>> PacketFence
>>>>>>> (http://packetfence.org)
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>--------------------------------------------------------------------
>>>>>>>--
>>>>>>> --
>>>>>>> --
>>>>>>> ----
>>>>>>> Comprehensive Server Monitoring with Site24x7.
>>>>>>> Monitor 10 servers for $9/Month.
>>>>>>> Get alerted through email, SMS, voice calls or mobile push
>>>>>>> notifications.
>>>>>>> Take corrective actions from your mobile device.
>>>>>>> http://p.sf.net/sfu/Zoho
>>>>>>> _______________________________________________
>>>>>>> PacketFence-users mailing list
>>>>>>> [email protected]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>---------------------------------------------------------------------
>>>>>>--
>>>>>> --
>>>>>> -----
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>> --
>>>>> Fabrice Durand
>>>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>>> PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>----------------------------------------------------------------------
>>>>>--
>>>>> --
>>>>> ----
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>>-----------------------------------------------------------------------
>>>>--
>>>> -----
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>> --
>>> Fabrice Durand
>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>>PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>>------------------------------------------------------------------------
>>>--
>>> ----
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>-------------------------------------------------------------------------
>>-----
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>--------------------------------------------------------------------------
>----
>_______________________________________________
>PacketFence-users mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
