I have been looking at Packetfence in a small lab environment for a couple of weeks now and believe I have the packetfence side of things setup as I want with the following VLANs in operation to provide network isolation
VLAN 10 - Management (192.168.200.x range) VLAN 20 - Registration (DHCP served by packetfence) VLAN 30 - Isolation VLAN 40 - Guest (DHCP served by Windows server) VLAN 50 - Approved (DHCP served by Windows server) I have a physical 3560 switch with a 1242 AP for wireless connectivity. I have a registration portal shown on VLAN20 where either an AD username and password can be entered to assign them a trusted role or a sponsored route to the guest role via AD sponsorship. This all works as expected and the web GUI shows the necessary devices being assigned the relevant roles. The issue I have is where I am trying to connect to the Guest VLAN from an autonomous Cisco 1242 AP configured as below. Aware I have encryption assigned to VLAN50 (trusted) where my plan is to make use of Packetfence-secure SSID only for trusted users but just trying to get a basic assignment of the guest VLAN which I gather should work causes problems. Mac authentication takes place but it will not assign it to the correct VLAN. The AP is on the list of approved devices and I am on the latest IOS. After registration is complete any attempt to connect to the SSID from an iPhone just disconnects and it never reconnects. The RADIUS debug traffic below suggests that the necessary attributes are being passed back to the AP and it is being instructed to connect to VLAN40 but this does not appear to happen and no further connectivity occurs. It is as if it is being instructed to perform the disassociation and that is the conversation finished. Am I missing something here in relation to the setup of this concept ? Aware that a controller rather than autonomous AP is the preferred solution but the 1242 is capable and I am running 12.4(25d) which would also support the Packet of Disconnect (RDC 3576) if necessary. Difficult to obtain a controller for a proof of concept lab environment. Let me know if there is anything else I can debug to get to the bottom of this issue or if there is some design changes that I need to consider. Also going to try a 1262 to see if they work since they are bit more recent. Thanks Jon Cisco AP Config version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname PACKETFENCE-AP1 ! logging buffered notifications logging rate-limit console 25 enable secret 5 ********** ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server radius rad_acct server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server radius rad_admin server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods group rad_mac aaa authentication login AdminUsers local aaa authorization exec default local group rad_mac group rad_admin group rad_eap aaa authorization network default group rad_mac ! aaa session-id common ! ! dot11 mbssid dot11 syslog dot11 activity-timeout unknown default 62 dot11 activity-timeout client default 62 maximum 120 dot11 activity-timeout repeater default 90 maximum 120 dot11 activity-timeout workgroup-bridge default 90 maximum 120 dot11 activity-timeout bridge default 90 maximum 120 dot11 vlan-name GUEST vlan 40 dot11 vlan-name ISOLATION vlan 30 dot11 vlan-name MANAGEMENT vlan 10 dot11 vlan-name REGISTRATION vlan 20 dot11 vlan-name TRUSTED vlan 50 ! dot11 ssid Packetfence-OPEN vlan 20 backup ISOLATION authentication open mac-address mac_methods mbssid guest-mode ! dot11 ssid Packetfence-SECURE vlan 50 authentication open eap eap_methods authentication key-management wpa mbssid guest-mode ! dot11 network-map ! ! username support privilege 15 password 7 *************** ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache timeout absolute 60 0 ! encryption vlan 30 mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm ! ssid Packetfence-OPEN ! ssid Packetfence-SECURE ! station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 252 bridge-group 252 subscriber-loop-control bridge-group 252 block-unknown-source no bridge-group 252 source-learning no bridge-group 252 unicast-flooding bridge-group 252 spanning-disabled ! interface Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 253 bridge-group 253 subscriber-loop-control bridge-group 253 block-unknown-source no bridge-group 253 source-learning no bridge-group 253 unicast-flooding bridge-group 253 spanning-disabled ! interface Dot11Radio0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 254 bridge-group 254 subscriber-loop-control bridge-group 254 block-unknown-source no bridge-group 254 source-learning no bridge-group 254 unicast-flooding bridge-group 254 spanning-disabled ! interface Dot11Radio0.50 encapsulation dot1Q 50 no ip route-cache bridge-group 255 bridge-group 255 subscriber-loop-control bridge-group 255 block-unknown-source no bridge-group 255 source-learning no bridge-group 255 unicast-flooding bridge-group 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.200.4 255.255.255.192 no ip route-cache bridge-group 251 no bridge-group 251 source-learning bridge-group 251 spanning-disabled ! interface FastEthernet0.20 encapsulation dot1Q 20 ip address 172.16.3.254 255.255.252.0 no ip route-cache bridge-group 252 no bridge-group 252 source-learning bridge-group 252 spanning-disabled ! interface FastEthernet0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 253 no bridge-group 253 source-learning bridge-group 253 spanning-disabled ! interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 254 no bridge-group 254 source-learning bridge-group 254 spanning-disabled ! interface FastEthernet0.50 encapsulation dot1Q 50 no ip route-cache bridge-group 255 no bridge-group 255 source-learning bridge-group 255 spanning-disabled ! interface BVI1 no ip address no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag logging history informational logging trap debugging snmp-server view iso iso included snmp-server view dot11view ieee802dot11 included snmp-server community public RO snmp-server community private RW snmp-server location Demo Location snmp-server chassis-id JonsAP snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps entity snmp-server enable traps disassociate snmp-server enable traps deauthenticate snmp-server enable traps authenticate-fail snmp-server enable traps dot11-qos snmp-server enable traps switch-over snmp-server enable traps rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps config snmp-server enable traps syslog snmp-server enable traps aaa_server snmp-server host 192.168.200.62 public deauthenticate radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.200.62 auth-port 1812 acct-port 1813 key 7 ************ radius-server vsa send accounting radius-server vsa send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 4 login authentication AdminUsers ! end version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname PACKETFENCE-AP1 ! logging buffered notifications logging rate-limit console 25 enable secret 5 ********** ! aaa new-model ! ! aaa group server radius rad_eap server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server radius rad_mac server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server radius rad_acct server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server radius rad_admin server 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods group rad_mac aaa authentication login AdminUsers local aaa authorization exec default local group rad_mac group rad_admin group rad_eap aaa authorization network default group rad_mac ! aaa session-id common ! ! dot11 mbssid dot11 syslog dot11 activity-timeout unknown default 62 dot11 activity-timeout client default 62 maximum 120 dot11 activity-timeout repeater default 90 maximum 120 dot11 activity-timeout workgroup-bridge default 90 maximum 120 dot11 activity-timeout bridge default 90 maximum 120 dot11 vlan-name GUEST vlan 40 dot11 vlan-name ISOLATION vlan 30 dot11 vlan-name MANAGEMENT vlan 10 dot11 vlan-name REGISTRATION vlan 20 dot11 vlan-name TRUSTED vlan 50 ! dot11 ssid Packetfence-OPEN vlan 20 backup ISOLATION authentication open mac-address mac_methods mbssid guest-mode ! dot11 ssid Packetfence-SECURE vlan 50 authentication open eap eap_methods authentication key-management wpa mbssid guest-mode ! dot11 network-map ! ! username support privilege 15 password 7 *************** ! ! bridge irb ! ! interface Dot11Radio0 no ip address no ip route-cache timeout absolute 60 0 ! encryption vlan 30 mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm ! ssid Packetfence-OPEN ! ssid Packetfence-SECURE ! station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q 20 no ip route-cache bridge-group 252 bridge-group 252 subscriber-loop-control bridge-group 252 block-unknown-source no bridge-group 252 source-learning no bridge-group 252 unicast-flooding bridge-group 252 spanning-disabled ! interface Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 253 bridge-group 253 subscriber-loop-control bridge-group 253 block-unknown-source no bridge-group 253 source-learning no bridge-group 253 unicast-flooding bridge-group 253 spanning-disabled ! interface Dot11Radio0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 254 bridge-group 254 subscriber-loop-control bridge-group 254 block-unknown-source no bridge-group 254 source-learning no bridge-group 254 unicast-flooding bridge-group 254 spanning-disabled ! interface Dot11Radio0.50 encapsulation dot1Q 50 no ip route-cache bridge-group 255 bridge-group 255 subscriber-loop-control bridge-group 255 block-unknown-source no bridge-group 255 source-learning no bridge-group 255 unicast-flooding bridge-group 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip route-cache shutdown no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding bridge-group 1 spanning-disabled ! interface FastEthernet0 no ip address no ip route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 source-learning bridge-group 1 spanning-disabled ! interface FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.200.4 255.255.255.192 no ip route-cache bridge-group 251 no bridge-group 251 source-learning bridge-group 251 spanning-disabled ! interface FastEthernet0.20 encapsulation dot1Q 20 ip address 172.16.3.254 255.255.252.0 no ip route-cache bridge-group 252 no bridge-group 252 source-learning bridge-group 252 spanning-disabled ! interface FastEthernet0.30 encapsulation dot1Q 30 no ip route-cache bridge-group 253 no bridge-group 253 source-learning bridge-group 253 spanning-disabled ! interface FastEthernet0.40 encapsulation dot1Q 40 no ip route-cache bridge-group 254 no bridge-group 254 source-learning bridge-group 254 spanning-disabled ! interface FastEthernet0.50 encapsulation dot1Q 50 no ip route-cache bridge-group 255 no bridge-group 255 source-learning bridge-group 255 spanning-disabled ! interface BVI1 no ip address no ip route-cache ! ip http server no ip http secure-server ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag logging history informational logging trap debugging snmp-server view iso iso included snmp-server view dot11view ieee802dot11 included snmp-server community public RO snmp-server community private RW snmp-server location Demo Location snmp-server chassis-id JonsAP snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps tty snmp-server enable traps entity snmp-server enable traps disassociate snmp-server enable traps deauthenticate snmp-server enable traps authenticate-fail snmp-server enable traps dot11-qos snmp-server enable traps switch-over snmp-server enable traps rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps config snmp-server enable traps syslog snmp-server enable traps aaa_server snmp-server host 192.168.200.62 public deauthenticate radius-server attribute 32 include-in-access-req format %h radius-server host 192.168.200.62 auth-port 1812 acct-port 1813 key 7 ************ radius-server vsa send accounting radius-server vsa send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 4 login authentication AdminUsers ! end PACKETFENCE.LOG OUTPUT Nov 21 15:53:25 httpd.webservices(2117) INFO: Unable to extract MAC from Called-Station-Id: 003a.9a55.5370 (pf::radius::extractApMacFromRadiusRequest) Nov 21 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] handling radius autz request: from switch_ip => (192.168.200.4), connection_type => Wireless-802.11-NoEAP,switch_mac => (), mac => [40:b3:95:1c:20:aa], port => 325, username => "40b3951c20aa" (pf::radius::authorize) Nov 21 15:53:25 httpd.webservices(2117) INFO: Can't find provisioner for 40:b3:95:1c:20:aa (pf::vlan::getNormalVlan) Nov 21 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Nov 21 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Username was defined "40b3951c20aa" - returning user based role 'guest' (pf::vlan::getNormalVlan) Nov 21 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] PID: "Jon.guestad", Status: reg. Returned VLAN: 40 (pf::vlan::fetchVlanForNode) Nov 21 15:53:25 httpd.webservices(2117) WARN: Role-based Network Access Control is not supported on network device type pf::Switch::Cisco::Aironet_1242. (pf::Switch::supportsRoleBasedEnforcement) Nov 21 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] (192.168.200.4) Returning ACCEPT with VLAN 40 and role (pf::Switch::returnRadiusAccessAccept) Nov 21 15:53:26 httpd.webservices(2117) INFO: Unable to extract MAC from Called-Station-Id: 003a.9a55.5370 (pf::radius::extractApMacFromRadiusRequest) Nov 21 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] handling radius autz request: from switch_ip => (192.168.200.4), connection_type => Wireless-802.11-NoEAP,switch_mac => (), mac => [40:b3:95:1c:20:aa], port => 326, username => "40b3951c20aa" (pf::radius::authorize) Nov 21 15:53:26 httpd.webservices(2117) INFO: Can't find provisioner for 40:b3:95:1c:20:aa (pf::vlan::getNormalVlan) Nov 21 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Nov 21 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Username was defined "40b3951c20aa" - returning user based role 'guest' (pf::vlan::getNormalVlan) Nov 21 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] PID: "Jon.guestad", Status: reg. Returned VLAN: 40 (pf::vlan::fetchVlanForNode) Nov 21 15:53:26 httpd.webservices(2117) WARN: Role-based Network Access Control is not supported on network device type pf::Switch::Cisco::Aironet_1242. (pf::Switch::supportsRoleBasedEnforcement) Nov 21 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] (192.168.200.4) Returning ACCEPT with VLAN 40 and role (pf::Switch::returnRadiusAccessAccept) Nov 21 15:53:28 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Nov 21 15:53:28 pfsetvlan(3) INFO: doWeActOnThisTrap returns false. Stop dot11Deauthentication handling (main::handleTrap) Nov 21 15:53:28 pfsetvlan(3) INFO: finished (main::cleanupAfterThread) Nov 21 15:53:30 pfsetvlan(5) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Nov 21 15:53:30 pfsetvlan(5) INFO: doWeActOnThisTrap returns false. Stop dot11Deauthentication handling (main::handleTrap) Nov 21 15:53:30 pfsetvlan(5) INFO: finished (main::cleanupAfterThread) CISCO 1242 AG DEBUG OUTPUT PACKETFENCE-AP1# *Jun 16 01:05:24.942: AAA/BIND(00000051): Bind i/f *Jun 16 01:05:24.943: dot11_auth_add_client_entry: Create new client 40b3.951c.20aa for application 0x1 *Jun 16 01:05:24.943: dot11_auth_initialize_client: 40b3.951c.20aa is added to the client list for application 0x1 *Jun 16 01:05:24.943: dot11_auth_add_client_entry: req->auth_type 1 *Jun 16 01:05:24.943: dot11_auth_add_client_entry: auth_methods_inprocess: 1 *Jun 16 01:05:24.943: dot11_auth_add_client_entry: mac list name: mac_methods *Jun 16 01:05:24.943: dot11_run_auth_methods: Start auth method MAC *Jun 16 01:05:24.943: dot11_auth_mac_start: method_list: mac_methods *Jun 16 01:05:24.943: dot11_auth_mac_start: method_index: 0xC7000002, req: 0x12BAB74 *Jun 16 01:05:24.944: dot11_auth_mac_start: client->unique_id: 0x51 *Jun 16 01:05:24.944: AAA/AUTHEN/PPP (00000051): Pick method list 'mac_methods' *Jun 16 01:05:24.944: RADIUS/ENCODE(00000051):Orig. component type = DOT11 *Jun 16 01:05:24.945: RADIUS(00000051): Config NAS IP: 0.0.0.0 *Jun 16 01:05:24.945: RADIUS/ENCODE(00000051): acct_session_id: 81 *Jun 16 01:05:24.945: RADIUS(00000051): Config NAS IP: 0.0.0.0 *Jun 16 01:05:24.945: RADIUS(00000051): sending *Jun 16 01:05:24.945: RADIUS/ENCODE: Best Local IP-Address 192.168.200.4 for Radius-Server 192.168.200.62 *Jun 16 01:05:24.946: RADIUS(00000051): Send Access-Request to 192.168.200.62:1812 id 1645/88, len 174 *Jun 16 01:05:24.946: RADIUS: authenticator 79 D1 BF 70 46 64 BC 2B - 3D 86 C0 5A 72 B9 85 5C *Jun 16 01:05:24.946: RADIUS: User-Name [1] 14 "40b3951c20aa" *Jun 16 01:05:24.946: RADIUS: User-Password [2] 18 * *Jun 16 01:05:24.946: RADIUS: Called-Station-Id [30] 16 "003a.9a55.5370" *Jun 16 01:05:24.946: RADIUS: Calling-Station-Id [31] 16 "40b3.951c.20aa" *Jun 16 01:05:24.947: RADIUS: Vendor, Cisco [26] 23 *Jun 16 01:05:24.947: RADIUS: Cisco AVpair [1] 17 "ssid=Packetfence-OPEN" *Jun 16 01:05:24.947: RADIUS: Vendor, WISPr [26] 21 *Jun 16 01:05:24.947: RADIUS: WISPr VSA [2] 15 "Demo Location" *Jun 16 01:05:24.947: RADIUS: Service-Type [6] 6 Login [1] *Jun 16 01:05:24.947: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] *Jun 16 01:05:24.947: RADIUS: NAS-Port [5] 6 325 *Jun 16 01:05:24.947: RADIUS: NAS-Port-Id [87] 5 "325" *Jun 16 01:05:24.947: RADIUS: NAS-IP-Address [4] 6 192.168.200.4 *Jun 16 01:05:24.948: RADIUS: Nas-Identifier [32] 17 "PACKETFENCE-AP1" *Jun 16 01:05:25.122: RADIUS: Received from id 1645/88 192.168.200.62:1812, Access-Accept, len 36 *Jun 16 01:05:25.123: RADIUS: authenticator 30 03 51 64 B0 B7 D2 C7 - 0C B8 68 92 32 62 13 1C *Jun 16 01:05:25.123: RADIUS: Tunnel-Private-Group[81] 4 "40" *Jun 16 01:05:25.123: RADIUS: Tunnel-Type [64] 6 00:VLAN [13] *Jun 16 01:05:25.123: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6] *Jun 16 01:05:25.123: RADIUS(00000051): Received from id 1645/88 *Jun 16 01:05:25.124: dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED *Jun 16 01:05:25.124: dot11_auth_server_chk_ssid: Checking for SSID in server attributes *Jun 16 01:05:25.124: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes *Jun 16 01:05:25.124: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE attribute *Jun 16 01:05:25.124: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN *Jun 16 01:05:25.124: dot11_auth_server_vlan_number: Tag found is 0 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE attribute *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with value 802 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 *Jun 16 01:05:25.125: dot11_auth_server_get_timeout: Checking for session time out value - attribute #27 *Jun 16 01:05:25.125: dot11_auth_send_msg: sending data to requestor status 2 *Jun 16 01:05:25.126: dot11_auth_send_msg: resp->nsk_len 0 resp->auth_key_len 0 *Jun 16 01:05:25.126: dot11_auth_send_msg: client authenticated 40b3.951c.20aa, node_type 64 for application 0x1 *Jun 16 01:05:25.126: dot11_auth_delete_client_entry: 40b3.951c.20aa is deleted for application 0x1 *Jun 16 01:05:25.126: dot11_auth_client_abort: Received abort request for client 40b3.951c.20aa *Jun 16 01:05:25.126: dot11_auth_client_abort: No client entry to abort: 40b3.951c.20aa for application 0x1 *Jun 16 01:05:25.127: Outgoing SNMP packet *Jun 16 01:05:25.128: v1 packet *Jun 16 01:05:25.128: community string: public *Jun 16 01:05:25.909: AAA/BIND(00000052): Bind i/f *Jun 16 01:05:25.909: dot11_auth_add_client_entry: Create new client 40b3.951c.20aa for application 0x1 *Jun 16 01:05:25.909: dot11_auth_initialize_client: 40b3.951c.20aa is added to the client list for application 0x1 *Jun 16 01:05:25.909: dot11_auth_add_client_entry: req->auth_type 1 *Jun 16 01:05:25.910: dot11_auth_add_client_entry: auth_methods_inprocess: 1 *Jun 16 01:05:25.910: dot11_auth_add_client_entry: mac list name: mac_methods *Jun 16 01:05:25.910: dot11_run_auth_methods: Start auth method MAC *Jun 16 01:05:25.910: dot11_auth_mac_start: method_list: mac_methods *Jun 16 01:05:25.910: dot11_auth_mac_start: method_index: 0xC7000002, req: 0x12BAB74 *Jun 16 01:05:25.910: dot11_auth_mac_start: client->unique_id: 0x52 *Jun 16 01:05:25.910: AAA/AUTHEN/PPP (00000052): Pick method list 'mac_methods' *Jun 16 01:05:25.911: RADIUS/ENCODE(00000052):Orig. component type = DOT11 *Jun 16 01:05:25.911: RADIUS(00000052): Config NAS IP: 0.0.0.0 *Jun 16 01:05:25.911: RADIUS/ENCODE(00000052): acct_session_id: 82 *Jun 16 01:05:25.911: RADIUS(00000052): Config NAS IP: 0.0.0.0 *Jun 16 01:05:25.912: RADIUS(00000052): sending *Jun 16 01:05:25.912: RADIUS/ENCODE: Best Local IP-Address 192.168.200.4 for Radius-Server 192.168.200.62 *Jun 16 01:05:25.912: RADIUS(00000052): Send Access-Request to 192.168.200.62:1812 id 1645/89, len 174 *Jun 16 01:05:25.912: RADIUS: authenticator A9 C9 4E 4E 43 F2 F3 93 - 1C 74 AE 7C 41 AE C9 9D *Jun 16 01:05:25.913: RADIUS: User-Name [1] 14 "40b3951c20aa" *Jun 16 01:05:25.913: RADIUS: User-Password [2] 18 * *Jun 16 01:05:25.913: RADIUS: Called-Station-Id [30] 16 "003a.9a55.5370" *Jun 16 01:05:25.913: RADIUS: Calling-Station-Id [31] 16 "40b3.951c.20aa" *Jun 16 01:05:25.913: RADIUS: Vendor, Cisco [26] 23 *Jun 16 01:05:25.913: RADIUS: Cisco AVpair [1] 17 "ssid=Packetfence-OPEN" *Jun 16 01:05:25.913: RADIUS: Vendor, WISPr [26] 21 *Jun 16 01:05:25.913: RADIUS: WISPr VSA [2] 15 "Demo Location" *Jun 16 01:05:25.914: RADIUS: Service-Type [6] 6 Login [1] *Jun 16 01:05:25.914: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] *Jun 16 01:05:25.914: RADIUS: NAS-Port [5] 6 326 *Jun 16 01:05:25.914: RADIUS: NAS-Port-Id [87] 5 "326" *Jun 16 01:05:25.914: RADIUS: NAS-IP-Address [4] 6 192.168.200.4 *Jun 16 01:05:25.914: RADIUS: Nas-Identifier [32] 17 "PACKETFENCE-AP1" *Jun 16 01:05:25.987: RADIUS: Received from id 1645/89 192.168.200.62:1812, Access-Accept, len 36 *Jun 16 01:05:25.988: RADIUS: authenticator 79 CC 4B AF A3 B0 A3 91 - 2F AB FE 1D 7F F9 A0 E2 *Jun 16 01:05:25.988: RADIUS: Tunnel-Private-Group[81] 4 "40" *Jun 16 01:05:25.988: RADIUS: Tunnel-Type [64] 6 00:VLAN [13] *Jun 16 01:05:25.988: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6] *Jun 16 01:05:25.989: RADIUS(00000052): Received from id 1645/89 *Jun 16 01:05:25.989: dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED *Jun 16 01:05:25.989: dot11_auth_server_chk_ssid: Checking for SSID in server attributes *Jun 16 01:05:25.989: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes *Jun 16 01:05:25.989: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE attribute *Jun 16 01:05:25.989: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: Tag found is 0 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE attribute *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with value 802 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 *Jun 16 01:05:25.990: dot11_auth_server_get_timeout: Checking for session time out value - attribute #27 *Jun 16 01:05:25.991: dot11_auth_send_msg: sending data to requestor status 2 *Jun 16 01:05:25.991: dot11_auth_send_msg: resp->nsk_len 0 resp->auth_key_len 0 *Jun 16 01:05:25.991: dot11_auth_send_msg: client authenticated 40b3.951c.20aa, node_type 64 for application 0x1 *Jun 16 01:05:25.991: dot11_auth_delete_client_entry: 40b3.951c.20aa is deleted for application 0x1 *Jun 16 01:05:25.991: dot11_auth_client_abort: Received abort request for client 40b3.951c.20aa *Jun 16 01:05:25.991: dot11_auth_client_abort: No client entry to abort: 40b3.951c.20aa for application 0x1 *Jun 16 01:05:25.993: Outgoing SNMP packet *Jun 16 01:05:25.993: v1 packet *Jun 16 01:05:25.993: community string: public PACKETFENCE RADIUS DEBUG OUTPUT rad_recv: Access-Request packet from host 192.168.200.4 port 1645, id=88, length=174 User-Name = "40b3951c20aa" User-Password = "40b3951c20aa" Called-Station-Id = "003a.9a55.5370" Calling-Station-Id = "40b3.951c.20aa" Cisco-AVPair = "ssid=Packetfence-OPEN" WISPr-Location-Name = "Demo Location" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 325 NAS-Port-Id = "325" NAS-IP-Address = 192.168.200.4 NAS-Identifier = "PACKETFENCE-AP1" server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +group authorize { [suffix] No '@' in User-Name = "40b3951c20aa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++update request { expand: %{Packet-Src-IP-Address} -> 192.168.200.4 ++} # update request = noop ++update control { ++} # update control = noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair NAS-Port = 325 rlm_perl: Added pair NAS-Port-Id = 325 rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [40b3951c20aa] (from client 192.168.200.4 port 325 cli 40b3.951c.20aa) } # server packetfence # Executing section post-auth from file /usr/local/pf/raddb/sites-enabled/packetfence +group post-auth { ++[exec] = noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { +++update control { +++} # update control = noop rlm_perl: Returning vlan 40 to request from 40:b3:95:1c:20:aa port 325 rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa rlm_perl: Added pair NAS-Port = 325 rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: Added pair NAS-Port-Id = 325 rlm_perl: Added pair Tunnel-Private-Group-ID = 40 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 +++[packetfence] = ok ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending Access-Accept of id 88 to 192.168.200.4 port 1645 Tunnel-Private-Group-Id:0 = "40" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.200.4 port 1645, id=89, length=174 User-Name = "40b3951c20aa" User-Password = "40b3951c20aa" Called-Station-Id = "003a.9a55.5370" Calling-Station-Id = "40b3.951c.20aa" Cisco-AVPair = "ssid=Packetfence-OPEN" WISPr-Location-Name = "Demo Location" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 326 NAS-Port-Id = "326" NAS-IP-Address = 192.168.200.4 NAS-Identifier = "PACKETFENCE-AP1" server packetfence { # Executing section authorize from file /usr/local/pf/raddb/sites-enabled/packetfence +group authorize { [suffix] No '@' in User-Name = "40b3951c20aa", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] users: Matched entry DEFAULT at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++update request { expand: %{Packet-Src-IP-Address} -> 192.168.200.4 ++} # update request = noop ++update control { ++} # update control = noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair NAS-Port = 326 rlm_perl: Added pair NAS-Port-Id = 326 rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [40b3951c20aa] (from client 192.168.200.4 port 326 cli 40b3.951c.20aa) } # server packetfence # Executing section post-auth from file /usr/local/pf/raddb/sites-enabled/packetfence +group post-auth { ++[exec] = noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { +++update control { +++} # update control = noop rlm_perl: Returning vlan 40 to request from 40:b3:95:1c:20:aa port 326 rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa rlm_perl: Added pair NAS-Port = 326 rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: Added pair NAS-Port-Id = 326 rlm_perl: Added pair Tunnel-Private-Group-ID = 40 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 +++[packetfence] = ok ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending Access-Accept of id 89 to 192.168.200.4 port 1645 Tunnel-Private-Group-Id:0 = "40" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Finished request 1. The information contained in this e-mail may be subject to public disclosure under the NHS Code of Openness or the Freedom of Information Act 2000. Unless the information is legally exempt, the confidentiality of this e-mail and your reply cannot be guaranteed. Unless expressly stated otherwise, the information contained in this e-mail is intended for the named recipient(s) only. If you are not the intended recipient you must not copy, distribute, or take any action or reliance upon it. If you have received this e-mail in error, please notify the sender. Any unauthorised disclosure of the information contained in this e-mail is strictly prohibited. ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
