-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Jon,
all the logs are ok, so it look like a limitation of the cisco access point. I remember that standalone access point can´t share the same vlan id on 2 ssid. https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#aironet-1121-1130-1242-1250 Is it the case in your config ? Regards Fabrice Le 2014-11-25 11:09, Gair, Jon a écrit : > I have been looking at Packetfence in a small lab environment for a > couple of weeks now and believe I have the packetfence side of > things setup as I want with the following VLANs in operation to > provide network isolation > > VLAN 10 - Management (192.168.200.x range) VLAN 20 - Registration > (DHCP served by packetfence) VLAN 30 - Isolation VLAN 40 - Guest > (DHCP served by Windows server) VLAN 50 - Approved (DHCP served by > Windows server) > > I have a physical 3560 switch with a 1242 AP for wireless > connectivity. > > I have a registration portal shown on VLAN20 where either an AD > username and password can be entered to assign them a trusted role > or a sponsored route to the guest role via AD sponsorship. This > all works as expected and the web GUI shows the necessary devices > being assigned the relevant roles. > > The issue I have is where I am trying to connect to the Guest VLAN > from an autonomous Cisco 1242 AP configured as below. Aware I have > encryption assigned to VLAN50 (trusted) where my plan is to make > use of Packetfence-secure SSID only for trusted users but just > trying to get a basic assignment of the guest VLAN which I gather > should work causes problems. Mac authentication takes place but it > will not assign it to the correct VLAN. > > The AP is on the list of approved devices and I am on the latest > IOS. After registration is complete any attempt to connect to the > SSID from an iPhone just disconnects and it never reconnects. The > RADIUS debug traffic below suggests that the necessary attributes > are being passed back to the AP and it is being instructed to > connect to VLAN40 but this does not appear to happen and no further > connectivity occurs. It is as if it is being instructed to perform > the disassociation and that is the conversation finished. > > Am I missing something here in relation to the setup of this > concept ? Aware that a controller rather than autonomous AP is the > preferred solution but the 1242 is capable and I am running > 12.4(25d) which would also support the Packet of Disconnect (RDC > 3576) if necessary. Difficult to obtain a controller for a proof > of concept lab environment. > > Let me know if there is anything else I can debug to get to the > bottom of this issue or if there is some design changes that I need > to consider. Also going to try a 1262 to see if they work since > they are bit more recent. > > Thanks > > Jon > > > Cisco AP Config > > version 12.4 no service pad service timestamps debug datetime msec > service timestamps log datetime msec service password-encryption ! > hostname PACKETFENCE-AP1 ! logging buffered notifications logging > rate-limit console 25 enable secret 5 ********** ! aaa new-model ! > ! aaa group server radius rad_eap server 192.168.200.62 auth-port > 1812 acct-port 1813 ! aaa group server radius rad_mac server > 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server > radius rad_acct server 192.168.200.62 auth-port 1812 acct-port > 1813 ! aaa group server radius rad_admin server 192.168.200.62 > auth-port 1812 acct-port 1813 ! aaa authentication login > eap_methods group rad_eap aaa authentication login mac_methods > group rad_mac aaa authentication login AdminUsers local aaa > authorization exec default local group rad_mac group rad_admin > group rad_eap aaa authorization network default group rad_mac ! aaa > session-id common ! ! dot11 mbssid dot11 syslog dot11 > activity-timeout unknown default 62 dot11 activity-timeout client > default 62 maximum 120 dot11 activity-timeout repeater default 90 > maximum 120 dot11 activity-timeout workgroup-bridge default 90 > maximum 120 dot11 activity-timeout bridge default 90 maximum 120 > dot11 vlan-name GUEST vlan 40 dot11 vlan-name ISOLATION vlan 30 > dot11 vlan-name MANAGEMENT vlan 10 dot11 vlan-name REGISTRATION > vlan 20 dot11 vlan-name TRUSTED vlan 50 ! dot11 ssid > Packetfence-OPEN vlan 20 backup ISOLATION authentication open > mac-address mac_methods mbssid guest-mode ! dot11 ssid > Packetfence-SECURE vlan 50 authentication open eap eap_methods > authentication key-management wpa mbssid guest-mode ! dot11 > network-map ! ! username support privilege 15 password 7 > *************** ! ! bridge irb ! ! interface Dot11Radio0 no ip > address no ip route-cache timeout absolute 60 0 ! encryption vlan > 30 mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm > ! ssid Packetfence-OPEN ! ssid Packetfence-SECURE ! station-role > root bridge-group 1 bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source no bridge-group 1 > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q > 20 no ip route-cache bridge-group 252 bridge-group 252 > subscriber-loop-control bridge-group 252 block-unknown-source no > bridge-group 252 source-learning no bridge-group 252 > unicast-flooding bridge-group 252 spanning-disabled ! interface > Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache > bridge-group 253 bridge-group 253 subscriber-loop-control > bridge-group 253 block-unknown-source no bridge-group 253 > source-learning no bridge-group 253 unicast-flooding bridge-group > 253 spanning-disabled ! interface Dot11Radio0.40 encapsulation > dot1Q 40 no ip route-cache bridge-group 254 bridge-group 254 > subscriber-loop-control bridge-group 254 block-unknown-source no > bridge-group 254 source-learning no bridge-group 254 > unicast-flooding bridge-group 254 spanning-disabled ! interface > Dot11Radio0.50 encapsulation dot1Q 50 no ip route-cache > bridge-group 255 bridge-group 255 subscriber-loop-control > bridge-group 255 block-unknown-source no bridge-group 255 > source-learning no bridge-group 255 unicast-flooding bridge-group > 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip > route-cache shutdown no dfs band block channel dfs station-role > root bridge-group 1 bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source no bridge-group 1 > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > spanning-disabled ! interface FastEthernet0 no ip address no ip > route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 > source-learning bridge-group 1 spanning-disabled ! interface > FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.200.4 > 255.255.255.192 no ip route-cache bridge-group 251 no bridge-group > 251 source-learning bridge-group 251 spanning-disabled ! interface > FastEthernet0.20 encapsulation dot1Q 20 ip address 172.16.3.254 > 255.255.252.0 no ip route-cache bridge-group 252 no bridge-group > 252 source-learning bridge-group 252 spanning-disabled ! interface > FastEthernet0.30 encapsulation dot1Q 30 no ip route-cache > bridge-group 253 no bridge-group 253 source-learning bridge-group > 253 spanning-disabled ! interface FastEthernet0.40 encapsulation > dot1Q 40 no ip route-cache bridge-group 254 no bridge-group 254 > source-learning bridge-group 254 spanning-disabled ! interface > FastEthernet0.50 encapsulation dot1Q 50 no ip route-cache > bridge-group 255 no bridge-group 255 source-learning bridge-group > 255 spanning-disabled ! interface BVI1 no ip address no ip > route-cache ! ip http server no ip http secure-server ip http > help-path > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > logging history informational logging trap debugging snmp-server > view iso iso included snmp-server view dot11view ieee802dot11 > included snmp-server community public RO snmp-server community > private RW snmp-server location Demo Location snmp-server > chassis-id JonsAP snmp-server enable traps snmp authentication > linkdown linkup coldstart warmstart snmp-server enable traps tty > snmp-server enable traps entity snmp-server enable traps > disassociate snmp-server enable traps deauthenticate snmp-server > enable traps authenticate-fail snmp-server enable traps dot11-qos > snmp-server enable traps switch-over snmp-server enable traps > rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps > config snmp-server enable traps syslog snmp-server enable traps > aaa_server snmp-server host 192.168.200.62 public deauthenticate > radius-server attribute 32 include-in-access-req format %h > radius-server host 192.168.200.62 auth-port 1812 acct-port 1813 key > 7 ************ radius-server vsa send accounting radius-server vsa > send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 > 4 login authentication AdminUsers ! end version 12.4 no service > pad service timestamps debug datetime msec service timestamps log > datetime msec service password-encryption ! hostname > PACKETFENCE-AP1 ! logging buffered notifications logging rate-limit > console 25 enable secret 5 ********** ! aaa new-model ! ! aaa group > server radius rad_eap server 192.168.200.62 auth-port 1812 > acct-port 1813 ! aaa group server radius rad_mac server > 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server > radius rad_acct server 192.168.200.62 auth-port 1812 acct-port > 1813 ! aaa group server radius rad_admin server 192.168.200.62 > auth-port 1812 acct-port 1813 ! aaa authentication login > eap_methods group rad_eap aaa authentication login mac_methods > group rad_mac aaa authentication login AdminUsers local aaa > authorization exec default local group rad_mac group rad_admin > group rad_eap aaa authorization network default group rad_mac ! aaa > session-id common ! ! dot11 mbssid dot11 syslog dot11 > activity-timeout unknown default 62 dot11 activity-timeout client > default 62 maximum 120 dot11 activity-timeout repeater default 90 > maximum 120 dot11 activity-timeout workgroup-bridge default 90 > maximum 120 dot11 activity-timeout bridge default 90 maximum 120 > dot11 vlan-name GUEST vlan 40 dot11 vlan-name ISOLATION vlan 30 > dot11 vlan-name MANAGEMENT vlan 10 dot11 vlan-name REGISTRATION > vlan 20 dot11 vlan-name TRUSTED vlan 50 ! dot11 ssid > Packetfence-OPEN vlan 20 backup ISOLATION authentication open > mac-address mac_methods mbssid guest-mode ! dot11 ssid > Packetfence-SECURE vlan 50 authentication open eap eap_methods > authentication key-management wpa mbssid guest-mode ! dot11 > network-map ! ! username support privilege 15 password 7 > *************** ! ! bridge irb ! ! interface Dot11Radio0 no ip > address no ip route-cache timeout absolute 60 0 ! encryption vlan > 30 mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm > ! ssid Packetfence-OPEN ! ssid Packetfence-SECURE ! station-role > root bridge-group 1 bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source no bridge-group 1 > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q > 20 no ip route-cache bridge-group 252 bridge-group 252 > subscriber-loop-control bridge-group 252 block-unknown-source no > bridge-group 252 source-learning no bridge-group 252 > unicast-flooding bridge-group 252 spanning-disabled ! interface > Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache > bridge-group 253 bridge-group 253 subscriber-loop-control > bridge-group 253 block-unknown-source no bridge-group 253 > source-learning no bridge-group 253 unicast-flooding bridge-group > 253 spanning-disabled ! interface Dot11Radio0.40 encapsulation > dot1Q 40 no ip route-cache bridge-group 254 bridge-group 254 > subscriber-loop-control bridge-group 254 block-unknown-source no > bridge-group 254 source-learning no bridge-group 254 > unicast-flooding bridge-group 254 spanning-disabled ! interface > Dot11Radio0.50 encapsulation dot1Q 50 no ip route-cache > bridge-group 255 bridge-group 255 subscriber-loop-control > bridge-group 255 block-unknown-source no bridge-group 255 > source-learning no bridge-group 255 unicast-flooding bridge-group > 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip > route-cache shutdown no dfs band block channel dfs station-role > root bridge-group 1 bridge-group 1 subscriber-loop-control > bridge-group 1 block-unknown-source no bridge-group 1 > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > spanning-disabled ! interface FastEthernet0 no ip address no ip > route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 > source-learning bridge-group 1 spanning-disabled ! interface > FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.200.4 > 255.255.255.192 no ip route-cache bridge-group 251 no bridge-group > 251 source-learning bridge-group 251 spanning-disabled ! interface > FastEthernet0.20 encapsulation dot1Q 20 ip address 172.16.3.254 > 255.255.252.0 no ip route-cache bridge-group 252 no bridge-group > 252 source-learning bridge-group 252 spanning-disabled ! interface > FastEthernet0.30 encapsulation dot1Q 30 no ip route-cache > bridge-group 253 no bridge-group 253 source-learning bridge-group > 253 spanning-disabled ! interface FastEthernet0.40 encapsulation > dot1Q 40 no ip route-cache bridge-group 254 no bridge-group 254 > source-learning bridge-group 254 spanning-disabled ! interface > FastEthernet0.50 encapsulation dot1Q 50 no ip route-cache > bridge-group 255 no bridge-group 255 source-learning bridge-group > 255 spanning-disabled ! interface BVI1 no ip address no ip > route-cache ! ip http server no ip http secure-server ip http > help-path > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > logging history informational logging trap debugging snmp-server > view iso iso included snmp-server view dot11view ieee802dot11 > included snmp-server community public RO snmp-server community > private RW snmp-server location Demo Location snmp-server > chassis-id JonsAP snmp-server enable traps snmp authentication > linkdown linkup coldstart warmstart snmp-server enable traps tty > snmp-server enable traps entity snmp-server enable traps > disassociate snmp-server enable traps deauthenticate snmp-server > enable traps authenticate-fail snmp-server enable traps dot11-qos > snmp-server enable traps switch-over snmp-server enable traps > rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps > config snmp-server enable traps syslog snmp-server enable traps > aaa_server snmp-server host 192.168.200.62 public deauthenticate > radius-server attribute 32 include-in-access-req format %h > radius-server host 192.168.200.62 auth-port 1812 acct-port 1813 key > 7 ************ radius-server vsa send accounting radius-server vsa > send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 > 4 login authentication AdminUsers ! end > > > > PACKETFENCE.LOG OUTPUT > > Nov 21 15:53:25 httpd.webservices(2117) INFO: Unable to extract MAC > from Called-Station-Id: 003a.9a55.5370 > (pf::radius::extractApMacFromRadiusRequest) Nov 21 15:53:25 > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] handling radius > autz request: from switch_ip => (192.168.200.4), connection_type => > Wireless-802.11-NoEAP,switch_mac => (), mac => [40:b3:95:1c:20:aa], > port => 325, username => "40b3951c20aa" (pf::radius::authorize) Nov > 21 15:53:25 httpd.webservices(2117) INFO: Can't find provisioner > for 40:b3:95:1c:20:aa (pf::vlan::getNormalVlan) Nov 21 15:53:25 > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Connection type > is WIRELESS_MAC_AUTH. Getting role from node_info > (pf::vlan::getNormalVlan) Nov 21 15:53:25 httpd.webservices(2117) > INFO: [40:b3:95:1c:20:aa] Username was defined "40b3951c20aa" - > returning user based role 'guest' (pf::vlan::getNormalVlan) Nov 21 > 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] PID: > "Jon.guestad", Status: reg. Returned VLAN: 40 > (pf::vlan::fetchVlanForNode) Nov 21 15:53:25 > httpd.webservices(2117) WARN: Role-based Network Access Control is > not supported on network device type > pf::Switch::Cisco::Aironet_1242. > (pf::Switch::supportsRoleBasedEnforcement) Nov 21 15:53:25 > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] (192.168.200.4) > Returning ACCEPT with VLAN 40 and role > (pf::Switch::returnRadiusAccessAccept) Nov 21 15:53:26 > httpd.webservices(2117) INFO: Unable to extract MAC from > Called-Station-Id: 003a.9a55.5370 > (pf::radius::extractApMacFromRadiusRequest) Nov 21 15:53:26 > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] handling radius > autz request: from switch_ip => (192.168.200.4), connection_type => > Wireless-802.11-NoEAP,switch_mac => (), mac => [40:b3:95:1c:20:aa], > port => 326, username => "40b3951c20aa" (pf::radius::authorize) Nov > 21 15:53:26 httpd.webservices(2117) INFO: Can't find provisioner > for 40:b3:95:1c:20:aa (pf::vlan::getNormalVlan) Nov 21 15:53:26 > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Connection type > is WIRELESS_MAC_AUTH. Getting role from node_info > (pf::vlan::getNormalVlan) Nov 21 15:53:26 httpd.webservices(2117) > INFO: [40:b3:95:1c:20:aa] Username was defined "40b3951c20aa" - > returning user based role 'guest' (pf::vlan::getNormalVlan) Nov 21 > 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] PID: > "Jon.guestad", Status: reg. Returned VLAN: 40 > (pf::vlan::fetchVlanForNode) Nov 21 15:53:26 > httpd.webservices(2117) WARN: Role-based Network Access Control is > not supported on network device type > pf::Switch::Cisco::Aironet_1242. > (pf::Switch::supportsRoleBasedEnforcement) Nov 21 15:53:26 > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] (192.168.200.4) > Returning ACCEPT with VLAN 40 and role > (pf::Switch::returnRadiusAccessAccept) Nov 21 15:53:28 pfsetvlan(3) > INFO: nb of items in queue: 1; nb of threads running: 0 > (main::startTrapHandlers) Nov 21 15:53:28 pfsetvlan(3) INFO: > doWeActOnThisTrap returns false. Stop dot11Deauthentication > handling (main::handleTrap) Nov 21 15:53:28 pfsetvlan(3) INFO: > finished (main::cleanupAfterThread) Nov 21 15:53:30 pfsetvlan(5) > INFO: nb of items in queue: 1; nb of threads running: 0 > (main::startTrapHandlers) Nov 21 15:53:30 pfsetvlan(5) INFO: > doWeActOnThisTrap returns false. Stop dot11Deauthentication > handling (main::handleTrap) Nov 21 15:53:30 pfsetvlan(5) INFO: > finished (main::cleanupAfterThread) > > CISCO 1242 AG DEBUG OUTPUT > > PACKETFENCE-AP1# *Jun 16 01:05:24.942: AAA/BIND(00000051): Bind > i/f *Jun 16 01:05:24.943: dot11_auth_add_client_entry: Create new > client 40b3.951c.20aa for application 0x1 *Jun 16 01:05:24.943: > dot11_auth_initialize_client: 40b3.951c.20aa is added to the client > list for application 0x1 *Jun 16 01:05:24.943: > dot11_auth_add_client_entry: req->auth_type 1 *Jun 16 01:05:24.943: > dot11_auth_add_client_entry: auth_methods_inprocess: 1 *Jun 16 > 01:05:24.943: dot11_auth_add_client_entry: mac list name: > mac_methods *Jun 16 01:05:24.943: dot11_run_auth_methods: Start > auth method MAC *Jun 16 01:05:24.943: dot11_auth_mac_start: > method_list: mac_methods *Jun 16 01:05:24.943: > dot11_auth_mac_start: method_index: 0xC7000002, req: 0x12BAB74 *Jun > 16 01:05:24.944: dot11_auth_mac_start: client->unique_id: 0x51 *Jun > 16 01:05:24.944: AAA/AUTHEN/PPP (00000051): Pick method list > 'mac_methods' *Jun 16 01:05:24.944: RADIUS/ENCODE(00000051):Orig. > component type = DOT11 *Jun 16 01:05:24.945: RADIUS(00000051): > Config NAS IP: 0.0.0.0 *Jun 16 01:05:24.945: > RADIUS/ENCODE(00000051): acct_session_id: 81 *Jun 16 01:05:24.945: > RADIUS(00000051): Config NAS IP: 0.0.0.0 *Jun 16 01:05:24.945: > RADIUS(00000051): sending *Jun 16 01:05:24.945: RADIUS/ENCODE: Best > Local IP-Address 192.168.200.4 for Radius-Server 192.168.200.62 > *Jun 16 01:05:24.946: RADIUS(00000051): Send Access-Request to > 192.168.200.62:1812 id 1645/88, len 174 *Jun 16 01:05:24.946: > RADIUS: authenticator 79 D1 BF 70 46 64 BC 2B - 3D 86 C0 5A 72 B9 > 85 5C *Jun 16 01:05:24.946: RADIUS: User-Name [1] 14 > "40b3951c20aa" *Jun 16 01:05:24.946: RADIUS: User-Password > [2] 18 * *Jun 16 01:05:24.946: RADIUS: Called-Station-Id [30] > 16 "003a.9a55.5370" *Jun 16 01:05:24.946: RADIUS: > Calling-Station-Id [31] 16 "40b3.951c.20aa" *Jun 16 > 01:05:24.947: RADIUS: Vendor, Cisco [26] 23 *Jun 16 > 01:05:24.947: RADIUS: Cisco AVpair [1] 17 > "ssid=Packetfence-OPEN" *Jun 16 01:05:24.947: RADIUS: Vendor, > WISPr [26] 21 *Jun 16 01:05:24.947: RADIUS: WISPr VSA > [2] 15 "Demo Location" *Jun 16 01:05:24.947: RADIUS: > Service-Type [6] 6 Login [1] *Jun 16 > 01:05:24.947: RADIUS: NAS-Port-Type [61] 6 802.11 > wireless [19] *Jun 16 01:05:24.947: RADIUS: NAS-Port > [5] 6 325 *Jun 16 01:05:24.947: RADIUS: NAS-Port-Id > [87] 5 "325" *Jun 16 01:05:24.947: RADIUS: NAS-IP-Address > [4] 6 192.168.200.4 *Jun 16 01:05:24.948: RADIUS: > Nas-Identifier [32] 17 "PACKETFENCE-AP1" *Jun 16 > 01:05:25.122: RADIUS: Received from id 1645/88 192.168.200.62:1812, > Access-Accept, len 36 *Jun 16 01:05:25.123: RADIUS: authenticator > 30 03 51 64 B0 B7 D2 C7 - 0C B8 68 92 32 62 13 1C *Jun 16 > 01:05:25.123: RADIUS: Tunnel-Private-Group[81] 4 "40" *Jun 16 > 01:05:25.123: RADIUS: Tunnel-Type [64] 6 00:VLAN > [13] *Jun 16 01:05:25.123: RADIUS: Tunnel-Medium-Type [65] 6 > 00:ALL_802 [6] *Jun 16 01:05:25.123: > RADIUS(00000051): Received from id 1645/88 *Jun 16 01:05:25.124: > dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED *Jun > 16 01:05:25.124: dot11_auth_server_chk_ssid: Checking for SSID in > server attributes *Jun 16 01:05:25.124: > dot11_auth_server_vlan_number: Checking for VLAN ID in server > attributes *Jun 16 01:05:25.124: dot11_auth_server_vlan_number: > Found AAA_AT_TUNNEL_TYPE attribute *Jun 16 01:05:25.124: > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN *Jun > 16 01:05:25.124: dot11_auth_server_vlan_number: Tag found is 0 *Jun > 16 01:05:25.125: dot11_auth_server_vlan_number: Found > AAA_AT_TUNNEL_MEDIUM_TYPE attribute *Jun 16 01:05:25.125: > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with > value 802 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: > Found our group tag 0 *Jun 16 01:05:25.125: > dot11_auth_server_vlan_number: Found > AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 *Jun 16 01:05:25.125: > dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 > 01:05:25.125: dot11_auth_server_vlan_number: > TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 *Jun > 16 01:05:25.125: dot11_auth_server_get_timeout: Checking for > session time out value - attribute #27 *Jun 16 01:05:25.125: > dot11_auth_send_msg: sending data to requestor status 2 *Jun 16 > 01:05:25.126: dot11_auth_send_msg: resp->nsk_len 0 > resp->auth_key_len 0 *Jun 16 01:05:25.126: dot11_auth_send_msg: > client authenticated 40b3.951c.20aa, node_type 64 for application > 0x1 *Jun 16 01:05:25.126: dot11_auth_delete_client_entry: > 40b3.951c.20aa is deleted for application 0x1 *Jun 16 01:05:25.126: > dot11_auth_client_abort: Received abort request for client > 40b3.951c.20aa *Jun 16 01:05:25.126: dot11_auth_client_abort: No > client entry to abort: 40b3.951c.20aa for application 0x1 *Jun 16 > 01:05:25.127: Outgoing SNMP packet *Jun 16 01:05:25.128: v1 packet > *Jun 16 01:05:25.128: community string: public *Jun 16 > 01:05:25.909: AAA/BIND(00000052): Bind i/f *Jun 16 01:05:25.909: > dot11_auth_add_client_entry: Create new client 40b3.951c.20aa for > application 0x1 *Jun 16 01:05:25.909: dot11_auth_initialize_client: > 40b3.951c.20aa is added to the client list for application 0x1 *Jun > 16 01:05:25.909: dot11_auth_add_client_entry: req->auth_type 1 *Jun > 16 01:05:25.910: dot11_auth_add_client_entry: > auth_methods_inprocess: 1 *Jun 16 01:05:25.910: > dot11_auth_add_client_entry: mac list name: mac_methods *Jun 16 > 01:05:25.910: dot11_run_auth_methods: Start auth method MAC *Jun 16 > 01:05:25.910: dot11_auth_mac_start: method_list: mac_methods *Jun > 16 01:05:25.910: dot11_auth_mac_start: method_index: 0xC7000002, > req: 0x12BAB74 *Jun 16 01:05:25.910: dot11_auth_mac_start: > client->unique_id: 0x52 *Jun 16 01:05:25.910: AAA/AUTHEN/PPP > (00000052): Pick method list 'mac_methods' *Jun 16 01:05:25.911: > RADIUS/ENCODE(00000052):Orig. component type = DOT11 *Jun 16 > 01:05:25.911: RADIUS(00000052): Config NAS IP: 0.0.0.0 *Jun 16 > 01:05:25.911: RADIUS/ENCODE(00000052): acct_session_id: 82 *Jun 16 > 01:05:25.911: RADIUS(00000052): Config NAS IP: 0.0.0.0 *Jun 16 > 01:05:25.912: RADIUS(00000052): sending *Jun 16 01:05:25.912: > RADIUS/ENCODE: Best Local IP-Address 192.168.200.4 for > Radius-Server 192.168.200.62 *Jun 16 01:05:25.912: > RADIUS(00000052): Send Access-Request to 192.168.200.62:1812 id > 1645/89, len 174 *Jun 16 01:05:25.912: RADIUS: authenticator A9 C9 > 4E 4E 43 F2 F3 93 - 1C 74 AE 7C 41 AE C9 9D *Jun 16 01:05:25.913: > RADIUS: User-Name [1] 14 "40b3951c20aa" *Jun 16 > 01:05:25.913: RADIUS: User-Password [2] 18 * *Jun 16 > 01:05:25.913: RADIUS: Called-Station-Id [30] 16 > "003a.9a55.5370" *Jun 16 01:05:25.913: RADIUS: Calling-Station-Id > [31] 16 "40b3.951c.20aa" *Jun 16 01:05:25.913: RADIUS: Vendor, > Cisco [26] 23 *Jun 16 01:05:25.913: RADIUS: Cisco AVpair > [1] 17 "ssid=Packetfence-OPEN" *Jun 16 01:05:25.913: RADIUS: > Vendor, WISPr [26] 21 *Jun 16 01:05:25.913: RADIUS: WISPr > VSA [2] 15 "Demo Location" *Jun 16 01:05:25.914: > RADIUS: Service-Type [6] 6 Login > [1] *Jun 16 01:05:25.914: RADIUS: NAS-Port-Type [61] 6 > 802.11 wireless [19] *Jun 16 01:05:25.914: RADIUS: > NAS-Port [5] 6 326 *Jun 16 01:05:25.914: RADIUS: > NAS-Port-Id [87] 5 "326" *Jun 16 01:05:25.914: RADIUS: > NAS-IP-Address [4] 6 192.168.200.4 *Jun 16 01:05:25.914: > RADIUS: Nas-Identifier [32] 17 "PACKETFENCE-AP1" *Jun 16 > 01:05:25.987: RADIUS: Received from id 1645/89 192.168.200.62:1812, > Access-Accept, len 36 *Jun 16 01:05:25.988: RADIUS: authenticator > 79 CC 4B AF A3 B0 A3 91 - 2F AB FE 1D 7F F9 A0 E2 *Jun 16 > 01:05:25.988: RADIUS: Tunnel-Private-Group[81] 4 "40" *Jun 16 > 01:05:25.988: RADIUS: Tunnel-Type [64] 6 00:VLAN > [13] *Jun 16 01:05:25.988: RADIUS: Tunnel-Medium-Type [65] 6 > 00:ALL_802 [6] *Jun 16 01:05:25.989: > RADIUS(00000052): Received from id 1645/89 *Jun 16 01:05:25.989: > dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED *Jun > 16 01:05:25.989: dot11_auth_server_chk_ssid: Checking for SSID in > server attributes *Jun 16 01:05:25.989: > dot11_auth_server_vlan_number: Checking for VLAN ID in server > attributes *Jun 16 01:05:25.989: dot11_auth_server_vlan_number: > Found AAA_AT_TUNNEL_TYPE attribute *Jun 16 01:05:25.989: > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN *Jun > 16 01:05:25.990: dot11_auth_server_vlan_number: Tag found is 0 *Jun > 16 01:05:25.990: dot11_auth_server_vlan_number: Found > AAA_AT_TUNNEL_MEDIUM_TYPE attribute *Jun 16 01:05:25.990: > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with > value 802 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: > Found our group tag 0 *Jun 16 01:05:25.990: > dot11_auth_server_vlan_number: Found > AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 *Jun 16 01:05:25.990: > dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 > 01:05:25.990: dot11_auth_server_vlan_number: > TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 *Jun > 16 01:05:25.990: dot11_auth_server_get_timeout: Checking for > session time out value - attribute #27 *Jun 16 01:05:25.991: > dot11_auth_send_msg: sending data to requestor status 2 *Jun 16 > 01:05:25.991: dot11_auth_send_msg: resp->nsk_len 0 > resp->auth_key_len 0 *Jun 16 01:05:25.991: dot11_auth_send_msg: > client authenticated 40b3.951c.20aa, node_type 64 for application > 0x1 *Jun 16 01:05:25.991: dot11_auth_delete_client_entry: > 40b3.951c.20aa is deleted for application 0x1 *Jun 16 01:05:25.991: > dot11_auth_client_abort: Received abort request for client > 40b3.951c.20aa *Jun 16 01:05:25.991: dot11_auth_client_abort: No > client entry to abort: 40b3.951c.20aa for application 0x1 *Jun 16 > 01:05:25.993: Outgoing SNMP packet *Jun 16 01:05:25.993: v1 packet > *Jun 16 01:05:25.993: community string: public > > > PACKETFENCE RADIUS DEBUG OUTPUT > > rad_recv: Access-Request packet from host 192.168.200.4 port 1645, > id=88, length=174 User-Name = "40b3951c20aa" User-Password = > "40b3951c20aa" Called-Station-Id = "003a.9a55.5370" > Calling-Station-Id = "40b3.951c.20aa" Cisco-AVPair = > "ssid=Packetfence-OPEN" WISPr-Location-Name = "Demo Location" > Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port > = 325 NAS-Port-Id = "325" NAS-IP-Address = 192.168.200.4 > NAS-Identifier = "PACKETFENCE-AP1" server packetfence { # Executing > section authorize from file > /usr/local/pf/raddb/sites-enabled/packetfence +group authorize { > [suffix] No '@' in User-Name = "40b3951c20aa", looking up realm > NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] > = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] > users: Matched entry DEFAULT at line 1 ++[files] = ok > ++[expiration] = noop ++[logintime] = noop ++update request { > expand: %{Packet-Src-IP-Address} -> 192.168.200.4 ++} # update > request = noop ++update control { ++} # update control = noop > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > Added pair Service-Type = Login-User rlm_perl: Added pair > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added > pair NAS-Port = 325 rlm_perl: Added pair NAS-Port-Id = 325 > rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: > Added pair PacketFence-RPC-Pass = rlm_perl: Added pair > PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair > PacketFence-RPC-Proto = http rlm_perl: Added pair > PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept > rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = > noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = > Accept, accepting the user Login OK: [40b3951c20aa] (from client > 192.168.200.4 port 325 cli 40b3.951c.20aa) } # server packetfence # > Executing section post-auth from file > /usr/local/pf/raddb/sites-enabled/packetfence +group post-auth { > ++[exec] = noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && > EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping > (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if > (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE > ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { > +++update control { +++} # update control = noop rlm_perl: > Returning vlan 40 to request from 40:b3:95:1c:20:aa port 325 > rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > Added pair Service-Type = Login-User rlm_perl: Added pair > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > rlm_perl: Added pair NAS-Port = 325 rlm_perl: Added pair > NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair > WISPr-Location-Name = Demo Location rlm_perl: Added pair > NAS-Port-Id = 325 rlm_perl: Added pair Tunnel-Private-Group-ID = > 40 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair > Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = > rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: > Added pair PacketFence-RPC-User = rlm_perl: Added pair > PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = > Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 > +++[packetfence] = ok ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS > && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending > Access-Accept of id 88 to 192.168.200.4 port 1645 > Tunnel-Private-Group-Id:0 = "40" Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 Finished request 0. Going to the > next request Waking up in 4.9 seconds. rad_recv: Access-Request > packet from host 192.168.200.4 port 1645, id=89, length=174 > User-Name = "40b3951c20aa" User-Password = "40b3951c20aa" > Called-Station-Id = "003a.9a55.5370" Calling-Station-Id = > "40b3.951c.20aa" Cisco-AVPair = "ssid=Packetfence-OPEN" > WISPr-Location-Name = "Demo Location" Service-Type = Login-User > NAS-Port-Type = Wireless-802.11 NAS-Port = 326 NAS-Port-Id = "326" > NAS-IP-Address = 192.168.200.4 NAS-Identifier = "PACKETFENCE-AP1" > server packetfence { # Executing section authorize from file > /usr/local/pf/raddb/sites-enabled/packetfence +group authorize { > [suffix] No '@' in User-Name = "40b3951c20aa", looking up realm > NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] > = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] > users: Matched entry DEFAULT at line 1 ++[files] = ok > ++[expiration] = noop ++[logintime] = noop ++update request { > expand: %{Packet-Src-IP-Address} -> 192.168.200.4 ++} # update > request = noop ++update control { ++} # update control = noop > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > Added pair Service-Type = Login-User rlm_perl: Added pair > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added > pair NAS-Port = 326 rlm_perl: Added pair NAS-Port-Id = 326 > rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: > Added pair PacketFence-RPC-Pass = rlm_perl: Added pair > PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair > PacketFence-RPC-Proto = http rlm_perl: Added pair > PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept > rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = > noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = > Accept, accepting the user Login OK: [40b3951c20aa] (from client > 192.168.200.4 port 326 cli 40b3.951c.20aa) } # server packetfence # > Executing section post-auth from file > /usr/local/pf/raddb/sites-enabled/packetfence +group post-auth { > ++[exec] = noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && > EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping > (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if > (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE > ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { > +++update control { +++} # update control = noop rlm_perl: > Returning vlan 40 to request from 40:b3:95:1c:20:aa port 326 > rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > Added pair Service-Type = Login-User rlm_perl: Added pair > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > rlm_perl: Added pair NAS-Port = 326 rlm_perl: Added pair > NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair > WISPr-Location-Name = Demo Location rlm_perl: Added pair > NAS-Port-Id = 326 rlm_perl: Added pair Tunnel-Private-Group-ID = > 40 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair > Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = > rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: > Added pair PacketFence-RPC-User = rlm_perl: Added pair > PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = > Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 > +++[packetfence] = ok ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS > && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending > Access-Accept of id 89 to 192.168.200.4 port 1645 > Tunnel-Private-Group-Id:0 = "40" Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 Finished request 1. > > > > > The information contained in this e-mail may be subject to public > disclosure under the NHS Code of Openness or the Freedom of > Information Act 2000. Unless the information is legally exempt, the > confidentiality of this e-mail and your reply cannot be > guaranteed. Unless expressly stated otherwise, the information > contained in this e-mail is intended for the named recipient(s) > only. If you are not the intended recipient you must not copy, > distribute, or take any action or reliance upon it. If you have > received this e-mail in error, please notify the sender. Any > unauthorised disclosure of the information contained in this e-mail > is strictly prohibited. > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and > Dashboards with Interactivity, Sharing, Native Excel Exports, App > Integration & more Get technology previously reserved for > billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > - -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUdN6EAAoJEG3J17z3j5V+PkcP/jKCiNP6re/zk2fqZ/i1wZDq 9H5CDTPkRha2JPvhfQA0pNCTaJlyMq42QsWzTuXaQSZGERMH8QVYvOpSwPrJrO0l 0Nv8EBKkycy9HvvE2Omjr5nve8kXhO4TwmisDZp9or5R2ezTyXIpL7+Bi4phzdVY lR5gSj0UZ50P5qTJKURPTU7xooOyVRcYbbnaD1sWcZ0kLyPBFfO/2cpp7P74/ckK 1rn80b6RJv7MSfa4fVUr2CTtkrba7saoGDwC7+Y+Y8zk3gExREh2XKwqbpKv603C G9mqcSQOXWYH631QaTQJ3koI91jA+iVbCDtUtqWzEACQDUOWVM4FV9uqw+lnbEJ5 1j2SeDEtlYeqHyiN2s8qGcmxtKZUOrio7Q8nVAn2nVWlr2LFBA2zR4l0DTMRe0EJ S27+ChgMctmZxuVwMSioAdPPPtw1vzsMYwLT+D7fpdEz9yVWajVaSVp3iZQumlae 8JyaZwWsZVAcIe6WW/cY40RzYnEW06FiPimFVBl4gAwi+U1uZPdonSHafMubOj4T rDgwgpdV6INBiTkBxqR8XyHzDQxyiAYO6GsRNrqfIhQqh8UeTZpbzAQCWAe2gsuo Dmrux2pziYSt4LmM9EJlBklpshO1/sgWSM9estXfvNAtqmD1oPgKHkm/jJzgPKsp npuv1A2U4WWXACCwuC9e =rCQj -----END PGP SIGNATURE-----
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
