Hello Jon, it´s really weird, packetfence´s radius answer is correct.
So let´s do a check list: Vlan 40 exist on the access point and is tagged on the switch port where the access point is connected. In packetfence switch configuration do you only use vlan role per vlan id ? Regards Fabrice Le 2014-11-26 12:26, Gair, Jon a écrit : > I have used a newer 1262 AP with v15 of IOS with the same results. Once > registered for the guest network it attempts to connect, Packetfence authenticates it and tells the AP which VLAN to assign and that is it. AP debugs below. Struggling to test this now without a controller. Is it a limitation of iPhones ? > > Thanks > > Jon > > *Mar 1 06:09:19.941: AAA/BIND(000000E0): Bind i/f > *Mar 1 06:09:19.941: dot11_auth_add_client_entry: Create new client 40b3.951c.20aa for application 0x1 > *Mar 1 06:09:19.941: dot11_auth_initialize_client: 40b3.951c.20aa is added to the client list for application 0x1 > *Mar 1 06:09:19.941: dot11_auth_add_client_entry: req->auth_type 1 > *Mar 1 06:09:19.941: dot11_auth_add_client_entry: auth_methods_inprocess: 1 > *Mar 1 06:09:19.941: dot11_auth_add_client_entry: mac list name: mac_methods > *Mar 1 06:09:19.941: dot11_run_auth_methods: Start auth method MAC > *Mar 1 06:09:19.941: dot11_auth_mac_start: method_list: mac_methods > *Mar 1 06:09:19.941: dot11_auth_mac_start: method_index: 0x3F000002, req: 0x4DC4818 > *Mar 1 06:09:19.941: dot11_auth_mac_start: client->unique_id: 0xE0 > *Mar 1 06:09:19.941: AAA/AUTHEN/PPP (000000E0): Pick method list 'mac_methods' > *Mar 1 06:09:19.941: RADIUS/ENCODE(000000E0):Orig. component type = DOT11 > *Mar 1 06:09:19.941: RADIUS(000000E0): Config NAS IP: 192.168.200.4 > *Mar 1 06:09:19.941: RADIUS(000000E0): Config NAS IPv6: :: > *Mar 1 06:09:19.941: RADIUS/ENCODE(000000E0): acct_session_id: 214 > *Mar 1 06:09:19.941: RADIUS(000000E0): Config NAS IP: 192.168.200.4 > *Mar 1 06:09:19.941: RADIUS(000000E0): sending > *Mar 1 06:09:19.941: RADIUS(000000E0): Send Access-Request to 192.168.200.62:1812 id 1645/10, len 217 > *Mar 1 06:09:19.941: RADIUS: authenticator 50 98 29 5C 6F D2 91 6F - 7E 89 31 15 F4 7F 39 FE > *Mar 1 06:09:19.941: RADIUS: User-Name [1] 14 "40b3951c20aa" > *Mar 1 06:09:19.941: RADIUS: User-Password [2] 18 * > *Mar 1 06:09:19.941: RADIUS: Called-Station-Id [30] 30 "D0-C7-89-E9-42-D0:Packetfence-OPEN" > *Mar 1 06:09:19.941: RADIUS: Calling-Station-Id [31] 19 "40-B3-95-1C-20-AA" > *Mar 1 06:09:19.941: RADIUS: Vendor, Cisco [26] 23 > *Mar 1 06:09:19.941: RADIUS: Cisco AVpair [1] 17 "ssid=Packetfence-OPEN" > *Mar 1 06:09:19.941: RADIUS: Vendor, WISPr [26] 21 > *Mar 1 06:09:19.944: RADIUS: WISPr VSA [2] 15 "Demo Location" > *Mar 1 06:09:19.944: RADIUS: Service-Type [6] 6 Login [1] > *Mar 1 06:09:19.944: RADIUS: Vendor, Cisco [26] 26 > *Mar 1 06:09:19.944: RADIUS: Cisco AVpair [1] 20 "service-type=Login" > *Mar 1 06:09:19.944: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] > *Mar 1 06:09:19.944: RADIUS: NAS-Port [5] 6 266 > *Mar 1 06:09:19.944: RADIUS: NAS-Port-Id [87] 5 "266" > *Mar 1 06:09:19.944: RADIUS: NAS-IP-Address [4] 6 192.168.200.4 > *Mar 1 06:09:19.944: RADIUS: Nas-Identifier [32] 17 "PACKETFENCE-AP1" > *Mar 1 06:09:19.944: RADIUS(000000E0): Sending a IPv4 Radius Packet > *Mar 1 06:09:19.944: RADIUS(000000E0): Started 5 sec timeout > *Mar 1 06:09:19.973: RADIUS: Received from id 1645/10 192.168.200.62:1812, Access-Accept, len 36 > *Mar 1 06:09:19.973: RADIUS: authenticator E5 23 0E 3B E0 6D 1F 1C - B2 E5 D6 4B C2 BE 32 9C > *Mar 1 06:09:19.973: RADIUS: Tunnel-Private-Group[81] 4 "40" > *Mar 1 06:09:19.973: RADIUS: Tunnel-Type [64] 6 00:VLAN [13] > *Mar 1 06:09:19.973: RADIUS: Tunnel-Medium-Type [65] 6 00:ALL_802 [6] > *Mar 1 06:09:19.973: RADIUS(000000E0): Received from id 1645/10 > *Mar 1 06:09:19.973: dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED > *Mar 1 06:09:19.973: dot11_auth_server_chk_ssid: Checking for SSID in server attributes > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Checking for VLAN ID in server attributes > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE attribute > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Tag found is 0 > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE attribute > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with value 802 > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found our group tag 0 > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: Found our group tag 0 > *Mar 1 06:09:19.973: dot11_auth_server_vlan_number: TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 > *Mar 1 06:09:19.973: dot11_auth_server_airespace_aclname: Checking for Airespace-Acl-Name in server attributes > *Mar 1 06:09:19.973: dot11_auth_server_get_timeout: Checking for session time out value - attribute #27 > *Mar 1 06:09:19.973: dot11_auth_send_msg: sending data to requestor status 2 > *Mar 1 06:09:19.973: dot11_auth_send_msg: resp->nsk_len 0 resp->auth_key_len 0 > *Mar 1 06:09:19.973: dot11_auth_send_msg: client authenticated 40b3.951c.20aa, node_type 64 for application 0x1 > *Mar 1 06:09:19.973: dot11_auth_delete_client_entry: 40b3.951c.20aa is deleted for application 0x1 > *Mar 1 06:09:19.973: dot11_auth_client_abort: Received abort request for client 40b3.951c.20aa > *Mar 1 06:09:19.973: dot11_auth_client_abort: No client entry to abort: 40b3.951c.20aa for application 0x1 > *Mar 1 06:09:21.149: RADIUS: Received from id 1645/10 192.168.200.62:1812, Access-Accept, len 36 > *Mar 1 06:09:21.149: RADIUS: Response for non-existent request ident > > > > > > ================================ > Thanks for the reply Fabrice. I think this is a limitation of these APs but only in the config and if you are using radius to dynamically assign the appropriate VLAN it is not that important. Since I am only looking at the open SSID I think this should be ok. > Just keen to know if I have configured this correctly on the basis of the config posted etc. I did find something that suggested RADIUS may also have to return a list of 'approved' SSIDs for that users device but assume the AP will not restrict this if no list is returned (which is what the debugs suggest) > Would interesting to know if anyone has successfully used these APs autonomously. Realise they are a little old so I may need to check with something newer using v15 of IOS or even a controller. > > Thanks > > Jon > > > > > On: 25 November 2014 19:57, "Fabrice DURAND" <[email protected]> wrote: > > Hello Jon, > > all the logs are ok, so it look like a limitation of the cisco access > point. > I remember that standalone access point can´t share the same vlan id > on 2 ssid. > > https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_Network_Devices_Configuration_Guide.asciidoc#aironet-1121-1130-1242-1250 > > Is it the case in your config ? > > Regards > Fabrice > > Le 2014-11-25 11:09, Gair, Jon a écrit : > > I have been looking at Packetfence in a small lab environment for a > > couple of weeks now and believe I have the packetfence side of > > things setup as I want with the following VLANs in operation to > > provide network isolation > > > VLAN 10 - Management (192.168.200.x range) VLAN 20 - Registration > > (DHCP served by packetfence) VLAN 30 - Isolation VLAN 40 - Guest > > (DHCP served by Windows server) VLAN 50 - Approved (DHCP served by > > Windows server) > > > I have a physical 3560 switch with a 1242 AP for wireless > > connectivity. > > > I have a registration portal shown on VLAN20 where either an AD > > username and password can be entered to assign them a trusted role > > or a sponsored route to the guest role via AD sponsorship. This > > all works as expected and the web GUI shows the necessary devices > > being assigned the relevant roles. > > > The issue I have is where I am trying to connect to the Guest VLAN > > from an autonomous Cisco 1242 AP configured as below. Aware I have > > encryption assigned to VLAN50 (trusted) where my plan is to make > > use of Packetfence-secure SSID only for trusted users but just > > trying to get a basic assignment of the guest VLAN which I gather > > should work causes problems. Mac authentication takes place but it > > will not assign it to the correct VLAN. > > > The AP is on the list of approved devices and I am on the latest > > IOS. After registration is complete any attempt to connect to the > > SSID from an iPhone just disconnects and it never reconnects. The > > RADIUS debug traffic below suggests that the necessary attributes > > are being passed back to the AP and it is being instructed to > > connect to VLAN40 but this does not appear to happen and no further > > connectivity occurs. It is as if it is being instructed to perform > > the disassociation and that is the conversation finished. > > > Am I missing something here in relation to the setup of this > > concept ? Aware that a controller rather than autonomous AP is the > > preferred solution but the 1242 is capable and I am running > > 12.4(25d) which would also support the Packet of Disconnect (RDC > > 3576) if necessary. Difficult to obtain a controller for a proof > > of concept lab environment. > > > Let me know if there is anything else I can debug to get to the > > bottom of this issue or if there is some design changes that I need > > to consider. Also going to try a 1262 to see if they work since > > they are bit more recent. > > > Thanks > > > Jon > > > > Cisco AP Config > > > version 12.4 no service pad service timestamps debug datetime msec > > service timestamps log datetime msec service password-encryption ! > > hostname PACKETFENCE-AP1 ! logging buffered notifications logging > > rate-limit console 25 enable secret 5 ********** ! aaa new-model ! > > ! aaa group server radius rad_eap server 192.168.200.62 auth-port > > 1812 acct-port 1813 ! aaa group server radius rad_mac server > > 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server > > radius rad_acct server 192.168.200.62 auth-port 1812 acct-port > > 1813 ! aaa group server radius rad_admin server 192.168.200.62 > > auth-port 1812 acct-port 1813 ! aaa authentication login > > eap_methods group rad_eap aaa authentication login mac_methods > > group rad_mac aaa authentication login AdminUsers local aaa > > authorization exec default local group rad_mac group rad_admin > > group rad_eap aaa authorization network default group rad_mac ! aaa > > session-id common ! ! dot11 mbssid dot11 syslog dot11 > > activity-timeout unknown default 62 dot11 activity-timeout client > > default 62 maximum 120 dot11 activity-timeout repeater default 90 > > maximum 120 dot11 activity-timeout workgroup-bridge default 90 > > maximum 120 dot11 activity-timeout bridge default 90 maximum 120 > > dot11 vlan-name GUEST vlan 40 dot11 vlan-name ISOLATION vlan 30 > > dot11 vlan-name MANAGEMENT vlan 10 dot11 vlan-name REGISTRATION > > vlan 20 dot11 vlan-name TRUSTED vlan 50 ! dot11 ssid > > Packetfence-OPEN vlan 20 backup ISOLATION authentication open > > mac-address mac_methods mbssid guest-mode ! dot11 ssid > > Packetfence-SECURE vlan 50 authentication open eap eap_methods > > authentication key-management wpa mbssid guest-mode ! dot11 > > network-map ! ! username support privilege 15 password 7 > > *************** ! ! bridge irb ! ! interface Dot11Radio0 no ip > > address no ip route-cache timeout absolute 60 0 ! encryption vlan > > 30 mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm > > ! ssid Packetfence-OPEN ! ssid Packetfence-SECURE ! station-role > > root bridge-group 1 bridge-group 1 subscriber-loop-control > > bridge-group 1 block-unknown-source no bridge-group 1 > > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > > spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q > > 20 no ip route-cache bridge-group 252 bridge-group 252 > > subscriber-loop-control bridge-group 252 block-unknown-source no > > bridge-group 252 source-learning no bridge-group 252 > > unicast-flooding bridge-group 252 spanning-disabled ! interface > > Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache > > bridge-group 253 bridge-group 253 subscriber-loop-control > > bridge-group 253 block-unknown-source no bridge-group 253 > > source-learning no bridge-group 253 unicast-flooding bridge-group > > 253 spanning-disabled ! interface Dot11Radio0.40 encapsulation > > dot1Q 40 no ip route-cache bridge-group 254 bridge-group 254 > > subscriber-loop-control bridge-group 254 block-unknown-source no > > bridge-group 254 source-learning no bridge-group 254 > > unicast-flooding bridge-group 254 spanning-disabled ! interface > > Dot11Radio0.50 encapsulation dot1Q 50 no ip route-cache > > bridge-group 255 bridge-group 255 subscriber-loop-control > > bridge-group 255 block-unknown-source no bridge-group 255 > > source-learning no bridge-group 255 unicast-flooding bridge-group > > 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip > > route-cache shutdown no dfs band block channel dfs station-role > > root bridge-group 1 bridge-group 1 subscriber-loop-control > > bridge-group 1 block-unknown-source no bridge-group 1 > > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > > spanning-disabled ! interface FastEthernet0 no ip address no ip > > route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 > > source-learning bridge-group 1 spanning-disabled ! interface > > FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.200.4 > > 255.255.255.192 no ip route-cache bridge-group 251 no bridge-group > > 251 source-learning bridge-group 251 spanning-disabled ! interface > > FastEthernet0.20 encapsulation dot1Q 20 ip address 172.16.3.254 > > 255.255.252.0 no ip route-cache bridge-group 252 no bridge-group > > 252 source-learning bridge-group 252 spanning-disabled ! interface > > FastEthernet0.30 encapsulation dot1Q 30 no ip route-cache > > bridge-group 253 no bridge-group 253 source-learning bridge-group > > 253 spanning-disabled ! interface FastEthernet0.40 encapsulation > > dot1Q 40 no ip route-cache bridge-group 254 no bridge-group 254 > > source-learning bridge-group 254 spanning-disabled ! interface > > FastEthernet0.50 encapsulation dot1Q 50 no ip route-cache > > bridge-group 255 no bridge-group 255 source-learning bridge-group > > 255 spanning-disabled ! interface BVI1 no ip address no ip > > route-cache ! ip http server no ip http secure-server ip http > > help-path > > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > > logging history informational logging trap debugging snmp-server > > view iso iso included snmp-server view dot11view ieee802dot11 > > included snmp-server community public RO snmp-server community > > private RW snmp-server location Demo Location snmp-server > > chassis-id JonsAP snmp-server enable traps snmp authentication > > linkdown linkup coldstart warmstart snmp-server enable traps tty > > snmp-server enable traps entity snmp-server enable traps > > disassociate snmp-server enable traps deauthenticate snmp-server > > enable traps authenticate-fail snmp-server enable traps dot11-qos > > snmp-server enable traps switch-over snmp-server enable traps > > rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps > > config snmp-server enable traps syslog snmp-server enable traps > > aaa_server snmp-server host 192.168.200.62 public deauthenticate > > radius-server attribute 32 include-in-access-req format %h > > radius-server host 192.168.200.62 auth-port 1812 acct-port 1813 key > > 7 ************ radius-server vsa send accounting radius-server vsa > > send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 > > 4 login authentication AdminUsers ! end version 12.4 no service > > pad service timestamps debug datetime msec service timestamps log > > datetime msec service password-encryption ! hostname > > PACKETFENCE-AP1 ! logging buffered notifications logging rate-limit > > console 25 enable secret 5 ********** ! aaa new-model ! ! aaa group > > server radius rad_eap server 192.168.200.62 auth-port 1812 > > acct-port 1813 ! aaa group server radius rad_mac server > > 192.168.200.62 auth-port 1812 acct-port 1813 ! aaa group server > > radius rad_acct server 192.168.200.62 auth-port 1812 acct-port > > 1813 ! aaa group server radius rad_admin server 192.168.200.62 > > auth-port 1812 acct-port 1813 ! aaa authentication login > > eap_methods group rad_eap aaa authentication login mac_methods > > group rad_mac aaa authentication login AdminUsers local aaa > > authorization exec default local group rad_mac group rad_admin > > group rad_eap aaa authorization network default group rad_mac ! aaa > > session-id common ! ! dot11 mbssid dot11 syslog dot11 > > activity-timeout unknown default 62 dot11 activity-timeout client > > default 62 maximum 120 dot11 activity-timeout repeater default 90 > > maximum 120 dot11 activity-timeout workgroup-bridge default 90 > > maximum 120 dot11 activity-timeout bridge default 90 maximum 120 > > dot11 vlan-name GUEST vlan 40 dot11 vlan-name ISOLATION vlan 30 > > dot11 vlan-name MANAGEMENT vlan 10 dot11 vlan-name REGISTRATION > > vlan 20 dot11 vlan-name TRUSTED vlan 50 ! dot11 ssid > > Packetfence-OPEN vlan 20 backup ISOLATION authentication open > > mac-address mac_methods mbssid guest-mode ! dot11 ssid > > Packetfence-SECURE vlan 50 authentication open eap eap_methods > > authentication key-management wpa mbssid guest-mode ! dot11 > > network-map ! ! username support privilege 15 password 7 > > *************** ! ! bridge irb ! ! interface Dot11Radio0 no ip > > address no ip route-cache timeout absolute 60 0 ! encryption vlan > > 30 mode ciphers aes-ccm ! encryption vlan 50 mode ciphers aes-ccm > > ! ssid Packetfence-OPEN ! ssid Packetfence-SECURE ! station-role > > root bridge-group 1 bridge-group 1 subscriber-loop-control > > bridge-group 1 block-unknown-source no bridge-group 1 > > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > > spanning-disabled ! interface Dot11Radio0.20 encapsulation dot1Q > > 20 no ip route-cache bridge-group 252 bridge-group 252 > > subscriber-loop-control bridge-group 252 block-unknown-source no > > bridge-group 252 source-learning no bridge-group 252 > > unicast-flooding bridge-group 252 spanning-disabled ! interface > > Dot11Radio0.30 encapsulation dot1Q 30 no ip route-cache > > bridge-group 253 bridge-group 253 subscriber-loop-control > > bridge-group 253 block-unknown-source no bridge-group 253 > > source-learning no bridge-group 253 unicast-flooding bridge-group > > 253 spanning-disabled ! interface Dot11Radio0.40 encapsulation > > dot1Q 40 no ip route-cache bridge-group 254 bridge-group 254 > > subscriber-loop-control bridge-group 254 block-unknown-source no > > bridge-group 254 source-learning no bridge-group 254 > > unicast-flooding bridge-group 254 spanning-disabled ! interface > > Dot11Radio0.50 encapsulation dot1Q 50 no ip route-cache > > bridge-group 255 bridge-group 255 subscriber-loop-control > > bridge-group 255 block-unknown-source no bridge-group 255 > > source-learning no bridge-group 255 unicast-flooding bridge-group > > 255 spanning-disabled ! interface Dot11Radio1 no ip address no ip > > route-cache shutdown no dfs band block channel dfs station-role > > root bridge-group 1 bridge-group 1 subscriber-loop-control > > bridge-group 1 block-unknown-source no bridge-group 1 > > source-learning no bridge-group 1 unicast-flooding bridge-group 1 > > spanning-disabled ! interface FastEthernet0 no ip address no ip > > route-cache duplex auto speed auto bridge-group 1 no bridge-group 1 > > source-learning bridge-group 1 spanning-disabled ! interface > > FastEthernet0.10 encapsulation dot1Q 10 ip address 192.168.200.4 > > 255.255.255.192 no ip route-cache bridge-group 251 no bridge-group > > 251 source-learning bridge-group 251 spanning-disabled ! interface > > FastEthernet0.20 encapsulation dot1Q 20 ip address 172.16.3.254 > > 255.255.252.0 no ip route-cache bridge-group 252 no bridge-group > > 252 source-learning bridge-group 252 spanning-disabled ! interface > > FastEthernet0.30 encapsulation dot1Q 30 no ip route-cache > > bridge-group 253 no bridge-group 253 source-learning bridge-group > > 253 spanning-disabled ! interface FastEthernet0.40 encapsulation > > dot1Q 40 no ip route-cache bridge-group 254 no bridge-group 254 > > source-learning bridge-group 254 spanning-disabled ! interface > > FastEthernet0.50 encapsulation dot1Q 50 no ip route-cache > > bridge-group 255 no bridge-group 255 source-learning bridge-group > > 255 spanning-disabled ! interface BVI1 no ip address no ip > > route-cache ! ip http server no ip http secure-server ip http > > help-path > > http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag > > logging history informational logging trap debugging snmp-server > > view iso iso included snmp-server view dot11view ieee802dot11 > > included snmp-server community public RO snmp-server community > > private RW snmp-server location Demo Location snmp-server > > chassis-id JonsAP snmp-server enable traps snmp authentication > > linkdown linkup coldstart warmstart snmp-server enable traps tty > > snmp-server enable traps entity snmp-server enable traps > > disassociate snmp-server enable traps deauthenticate snmp-server > > enable traps authenticate-fail snmp-server enable traps dot11-qos > > snmp-server enable traps switch-over snmp-server enable traps > > rogue-ap snmp-server enable traps wlan-wep snmp-server enable traps > > config snmp-server enable traps syslog snmp-server enable traps > > aaa_server snmp-server host 192.168.200.62 public deauthenticate > > radius-server attribute 32 include-in-access-req format %h > > radius-server host 192.168.200.62 auth-port 1812 acct-port 1813 key > > 7 ************ radius-server vsa send accounting radius-server vsa > > send authentication bridge 1 route ip ! ! ! line con 0 line vty 0 > > 4 login authentication AdminUsers ! end > > > > > PACKETFENCE.LOG OUTPUT > > > Nov 21 15:53:25 httpd.webservices(2117) INFO: Unable to extract MAC > > from Called-Station-Id: 003a.9a55.5370 > > (pf::radius::extractApMacFromRadiusRequest) Nov 21 15:53:25 > > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] handling radius > > autz request: from switch_ip => (192.168.200.4), connection_type => > > Wireless-802.11-NoEAP,switch_mac => (), mac => [40:b3:95:1c:20:aa], > > port => 325, username => "40b3951c20aa" (pf::radius::authorize) Nov > > 21 15:53:25 httpd.webservices(2117) INFO: Can't find provisioner > > for 40:b3:95:1c:20:aa (pf::vlan::getNormalVlan) Nov 21 15:53:25 > > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Connection type > > is WIRELESS_MAC_AUTH. Getting role from node_info > > (pf::vlan::getNormalVlan) Nov 21 15:53:25 httpd.webservices(2117) > > INFO: [40:b3:95:1c:20:aa] Username was defined "40b3951c20aa" - > > returning user based role 'guest' (pf::vlan::getNormalVlan) Nov 21 > > 15:53:25 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] PID: > > "Jon.guestad", Status: reg. Returned VLAN: 40 > > (pf::vlan::fetchVlanForNode) Nov 21 15:53:25 > > httpd.webservices(2117) WARN: Role-based Network Access Control is > > not supported on network device type > > pf::Switch::Cisco::Aironet_1242. > > (pf::Switch::supportsRoleBasedEnforcement) Nov 21 15:53:25 > > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] (192.168.200.4) > > Returning ACCEPT with VLAN 40 and role > > (pf::Switch::returnRadiusAccessAccept) Nov 21 15:53:26 > > httpd.webservices(2117) INFO: Unable to extract MAC from > > Called-Station-Id: 003a.9a55.5370 > > (pf::radius::extractApMacFromRadiusRequest) Nov 21 15:53:26 > > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] handling radius > > autz request: from switch_ip => (192.168.200.4), connection_type => > > Wireless-802.11-NoEAP,switch_mac => (), mac => [40:b3:95:1c:20:aa], > > port => 326, username => "40b3951c20aa" (pf::radius::authorize) Nov > > 21 15:53:26 httpd.webservices(2117) INFO: Can't find provisioner > > for 40:b3:95:1c:20:aa (pf::vlan::getNormalVlan) Nov 21 15:53:26 > > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] Connection type > > is WIRELESS_MAC_AUTH. Getting role from node_info > > (pf::vlan::getNormalVlan) Nov 21 15:53:26 httpd.webservices(2117) > > INFO: [40:b3:95:1c:20:aa] Username was defined "40b3951c20aa" - > > returning user based role 'guest' (pf::vlan::getNormalVlan) Nov 21 > > 15:53:26 httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] PID: > > "Jon.guestad", Status: reg. Returned VLAN: 40 > > (pf::vlan::fetchVlanForNode) Nov 21 15:53:26 > > httpd.webservices(2117) WARN: Role-based Network Access Control is > > not supported on network device type > > pf::Switch::Cisco::Aironet_1242. > > (pf::Switch::supportsRoleBasedEnforcement) Nov 21 15:53:26 > > httpd.webservices(2117) INFO: [40:b3:95:1c:20:aa] (192.168.200.4) > > Returning ACCEPT with VLAN 40 and role > > (pf::Switch::returnRadiusAccessAccept) Nov 21 15:53:28 pfsetvlan(3) > > INFO: nb of items in queue: 1; nb of threads running: 0 > > (main::startTrapHandlers) Nov 21 15:53:28 pfsetvlan(3) INFO: > > doWeActOnThisTrap returns false. Stop dot11Deauthentication > > handling (main::handleTrap) Nov 21 15:53:28 pfsetvlan(3) INFO: > > finished (main::cleanupAfterThread) Nov 21 15:53:30 pfsetvlan(5) > > INFO: nb of items in queue: 1; nb of threads running: 0 > > (main::startTrapHandlers) Nov 21 15:53:30 pfsetvlan(5) INFO: > > doWeActOnThisTrap returns false. Stop dot11Deauthentication > > handling (main::handleTrap) Nov 21 15:53:30 pfsetvlan(5) INFO: > > finished (main::cleanupAfterThread) > > > CISCO 1242 AG DEBUG OUTPUT > > > PACKETFENCE-AP1# *Jun 16 01:05:24.942: AAA/BIND(00000051): Bind > > i/f *Jun 16 01:05:24.943: dot11_auth_add_client_entry: Create new > > client 40b3.951c.20aa for application 0x1 *Jun 16 01:05:24.943: > > dot11_auth_initialize_client: 40b3.951c.20aa is added to the client > > list for application 0x1 *Jun 16 01:05:24.943: > > dot11_auth_add_client_entry: req->auth_type 1 *Jun 16 01:05:24.943: > > dot11_auth_add_client_entry: auth_methods_inprocess: 1 *Jun 16 > > 01:05:24.943: dot11_auth_add_client_entry: mac list name: > > mac_methods *Jun 16 01:05:24.943: dot11_run_auth_methods: Start > > auth method MAC *Jun 16 01:05:24.943: dot11_auth_mac_start: > > method_list: mac_methods *Jun 16 01:05:24.943: > > dot11_auth_mac_start: method_index: 0xC7000002, req: 0x12BAB74 *Jun > > 16 01:05:24.944: dot11_auth_mac_start: client->unique_id: 0x51 *Jun > > 16 01:05:24.944: AAA/AUTHEN/PPP (00000051): Pick method list > > 'mac_methods' *Jun 16 01:05:24.944: RADIUS/ENCODE(00000051):Orig. > > component type = DOT11 *Jun 16 01:05:24.945: RADIUS(00000051): > > Config NAS IP: 0.0.0.0 *Jun 16 01:05:24.945: > > RADIUS/ENCODE(00000051): acct_session_id: 81 *Jun 16 01:05:24.945: > > RADIUS(00000051): Config NAS IP: 0.0.0.0 *Jun 16 01:05:24.945: > > RADIUS(00000051): sending *Jun 16 01:05:24.945: RADIUS/ENCODE: Best > > Local IP-Address 192.168.200.4 for Radius-Server 192.168.200.62 > > *Jun 16 01:05:24.946: RADIUS(00000051): Send Access-Request to > > 192.168.200.62:1812 id 1645/88, len 174 *Jun 16 01:05:24.946: > > RADIUS: authenticator 79 D1 BF 70 46 64 BC 2B - 3D 86 C0 5A 72 B9 > > 85 5C *Jun 16 01:05:24.946: RADIUS: User-Name [1] 14 > > "40b3951c20aa" *Jun 16 01:05:24.946: RADIUS: User-Password > > [2] 18 * *Jun 16 01:05:24.946: RADIUS: Called-Station-Id [30] > > 16 "003a.9a55.5370" *Jun 16 01:05:24.946: RADIUS: > > Calling-Station-Id [31] 16 "40b3.951c.20aa" *Jun 16 > > 01:05:24.947: RADIUS: Vendor, Cisco [26] 23 *Jun 16 > > 01:05:24.947: RADIUS: Cisco AVpair [1] 17 > > "ssid=Packetfence-OPEN" *Jun 16 01:05:24.947: RADIUS: Vendor, > > WISPr [26] 21 *Jun 16 01:05:24.947: RADIUS: WISPr VSA > > [2] 15 "Demo Location" *Jun 16 01:05:24.947: RADIUS: > > Service-Type [6] 6 Login [1] *Jun 16 > > 01:05:24.947: RADIUS: NAS-Port-Type [61] 6 802.11 > > wireless [19] *Jun 16 01:05:24.947: RADIUS: NAS-Port > > [5] 6 325 *Jun 16 01:05:24.947: RADIUS: NAS-Port-Id > > [87] 5 "325" *Jun 16 01:05:24.947: RADIUS: NAS-IP-Address > > [4] 6 192.168.200.4 *Jun 16 01:05:24.948: RADIUS: > > Nas-Identifier [32] 17 "PACKETFENCE-AP1" *Jun 16 > > 01:05:25.122: RADIUS: Received from id 1645/88 192.168.200.62:1812, > > Access-Accept, len 36 *Jun 16 01:05:25.123: RADIUS: authenticator > > 30 03 51 64 B0 B7 D2 C7 - 0C B8 68 92 32 62 13 1C *Jun 16 > > 01:05:25.123: RADIUS: Tunnel-Private-Group[81] 4 "40" *Jun 16 > > 01:05:25.123: RADIUS: Tunnel-Type [64] 6 00:VLAN > > [13] *Jun 16 01:05:25.123: RADIUS: Tunnel-Medium-Type [65] 6 > > 00:ALL_802 [6] *Jun 16 01:05:25.123: > > RADIUS(00000051): Received from id 1645/88 *Jun 16 01:05:25.124: > > dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED *Jun > > 16 01:05:25.124: dot11_auth_server_chk_ssid: Checking for SSID in > > server attributes *Jun 16 01:05:25.124: > > dot11_auth_server_vlan_number: Checking for VLAN ID in server > > attributes *Jun 16 01:05:25.124: dot11_auth_server_vlan_number: > > Found AAA_AT_TUNNEL_TYPE attribute *Jun 16 01:05:25.124: > > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN *Jun > > 16 01:05:25.124: dot11_auth_server_vlan_number: Tag found is 0 *Jun > > 16 01:05:25.125: dot11_auth_server_vlan_number: Found > > AAA_AT_TUNNEL_MEDIUM_TYPE attribute *Jun 16 01:05:25.125: > > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with > > value 802 *Jun 16 01:05:25.125: dot11_auth_server_vlan_number: > > Found our group tag 0 *Jun 16 01:05:25.125: > > dot11_auth_server_vlan_number: Found > > AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 *Jun 16 01:05:25.125: > > dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 > > 01:05:25.125: dot11_auth_server_vlan_number: > > TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 *Jun > > 16 01:05:25.125: dot11_auth_server_get_timeout: Checking for > > session time out value - attribute #27 *Jun 16 01:05:25.125: > > dot11_auth_send_msg: sending data to requestor status 2 *Jun 16 > > 01:05:25.126: dot11_auth_send_msg: resp->nsk_len 0 > > resp->auth_key_len 0 *Jun 16 01:05:25.126: dot11_auth_send_msg: > > client authenticated 40b3.951c.20aa, node_type 64 for application > > 0x1 *Jun 16 01:05:25.126: dot11_auth_delete_client_entry: > > 40b3.951c.20aa is deleted for application 0x1 *Jun 16 01:05:25.126: > > dot11_auth_client_abort: Received abort request for client > > 40b3.951c.20aa *Jun 16 01:05:25.126: dot11_auth_client_abort: No > > client entry to abort: 40b3.951c.20aa for application 0x1 *Jun 16 > > 01:05:25.127: Outgoing SNMP packet *Jun 16 01:05:25.128: v1 packet > > *Jun 16 01:05:25.128: community string: public *Jun 16 > > 01:05:25.909: AAA/BIND(00000052): Bind i/f *Jun 16 01:05:25.909: > > dot11_auth_add_client_entry: Create new client 40b3.951c.20aa for > > application 0x1 *Jun 16 01:05:25.909: dot11_auth_initialize_client: > > 40b3.951c.20aa is added to the client list for application 0x1 *Jun > > 16 01:05:25.909: dot11_auth_add_client_entry: req->auth_type 1 *Jun > > 16 01:05:25.910: dot11_auth_add_client_entry: > > auth_methods_inprocess: 1 *Jun 16 01:05:25.910: > > dot11_auth_add_client_entry: mac list name: mac_methods *Jun 16 > > 01:05:25.910: dot11_run_auth_methods: Start auth method MAC *Jun 16 > > 01:05:25.910: dot11_auth_mac_start: method_list: mac_methods *Jun > > 16 01:05:25.910: dot11_auth_mac_start: method_index: 0xC7000002, > > req: 0x12BAB74 *Jun 16 01:05:25.910: dot11_auth_mac_start: > > client->unique_id: 0x52 *Jun 16 01:05:25.910: AAA/AUTHEN/PPP > > (00000052): Pick method list 'mac_methods' *Jun 16 01:05:25.911: > > RADIUS/ENCODE(00000052):Orig. component type = DOT11 *Jun 16 > > 01:05:25.911: RADIUS(00000052): Config NAS IP: 0.0.0.0 *Jun 16 > > 01:05:25.911: RADIUS/ENCODE(00000052): acct_session_id: 82 *Jun 16 > > 01:05:25.911: RADIUS(00000052): Config NAS IP: 0.0.0.0 *Jun 16 > > 01:05:25.912: RADIUS(00000052): sending *Jun 16 01:05:25.912: > > RADIUS/ENCODE: Best Local IP-Address 192.168.200.4 for > > Radius-Server 192.168.200.62 *Jun 16 01:05:25.912: > > RADIUS(00000052): Send Access-Request to 192.168.200.62:1812 id > > 1645/89, len 174 *Jun 16 01:05:25.912: RADIUS: authenticator A9 C9 > > 4E 4E 43 F2 F3 93 - 1C 74 AE 7C 41 AE C9 9D *Jun 16 01:05:25.913: > > RADIUS: User-Name [1] 14 "40b3951c20aa" *Jun 16 > > 01:05:25.913: RADIUS: User-Password [2] 18 * *Jun 16 > > 01:05:25.913: RADIUS: Called-Station-Id [30] 16 > > "003a.9a55.5370" *Jun 16 01:05:25.913: RADIUS: Calling-Station-Id > > [31] 16 "40b3.951c.20aa" *Jun 16 01:05:25.913: RADIUS: Vendor, > > Cisco [26] 23 *Jun 16 01:05:25.913: RADIUS: Cisco AVpair > > [1] 17 "ssid=Packetfence-OPEN" *Jun 16 01:05:25.913: RADIUS: > > Vendor, WISPr [26] 21 *Jun 16 01:05:25.913: RADIUS: WISPr > > VSA [2] 15 "Demo Location" *Jun 16 01:05:25.914: > > RADIUS: Service-Type [6] 6 Login > > [1] *Jun 16 01:05:25.914: RADIUS: NAS-Port-Type [61] 6 > > 802.11 wireless [19] *Jun 16 01:05:25.914: RADIUS: > > NAS-Port [5] 6 326 *Jun 16 01:05:25.914: RADIUS: > > NAS-Port-Id [87] 5 "326" *Jun 16 01:05:25.914: RADIUS: > > NAS-IP-Address [4] 6 192.168.200.4 *Jun 16 01:05:25.914: > > RADIUS: Nas-Identifier [32] 17 "PACKETFENCE-AP1" *Jun 16 > > 01:05:25.987: RADIUS: Received from id 1645/89 192.168.200.62:1812, > > Access-Accept, len 36 *Jun 16 01:05:25.988: RADIUS: authenticator > > 79 CC 4B AF A3 B0 A3 91 - 2F AB FE 1D 7F F9 A0 E2 *Jun 16 > > 01:05:25.988: RADIUS: Tunnel-Private-Group[81] 4 "40" *Jun 16 > > 01:05:25.988: RADIUS: Tunnel-Type [64] 6 00:VLAN > > [13] *Jun 16 01:05:25.988: RADIUS: Tunnel-Medium-Type [65] 6 > > 00:ALL_802 [6] *Jun 16 01:05:25.989: > > RADIUS(00000052): Received from id 1645/89 *Jun 16 01:05:25.989: > > dot11_mac_process_reply: AAA reply for 40b3.951c.20aa PASSED *Jun > > 16 01:05:25.989: dot11_auth_server_chk_ssid: Checking for SSID in > > server attributes *Jun 16 01:05:25.989: > > dot11_auth_server_vlan_number: Checking for VLAN ID in server > > attributes *Jun 16 01:05:25.989: dot11_auth_server_vlan_number: > > Found AAA_AT_TUNNEL_TYPE attribute *Jun 16 01:05:25.989: > > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_TYPE VLAN *Jun > > 16 01:05:25.990: dot11_auth_server_vlan_number: Tag found is 0 *Jun > > 16 01:05:25.990: dot11_auth_server_vlan_number: Found > > AAA_AT_TUNNEL_MEDIUM_TYPE attribute *Jun 16 01:05:25.990: > > dot11_auth_server_vlan_number: Found AAA_AT_TUNNEL_MEDIUM_TYPE with > > value 802 *Jun 16 01:05:25.990: dot11_auth_server_vlan_number: > > Found our group tag 0 *Jun 16 01:05:25.990: > > dot11_auth_server_vlan_number: Found > > AAA_AT_TUNNEL_PRIVATE_GROUP_IDattribute 81 *Jun 16 01:05:25.990: > > dot11_auth_server_vlan_number: Found our group tag 0 *Jun 16 > > 01:05:25.990: dot11_auth_server_vlan_number: > > TUNNEL_PRIVATE_GROUP_ID attribute number string 40 for vlan 40 *Jun > > 16 01:05:25.990: dot11_auth_server_get_timeout: Checking for > > session time out value - attribute #27 *Jun 16 01:05:25.991: > > dot11_auth_send_msg: sending data to requestor status 2 *Jun 16 > > 01:05:25.991: dot11_auth_send_msg: resp->nsk_len 0 > > resp->auth_key_len 0 *Jun 16 01:05:25.991: dot11_auth_send_msg: > > client authenticated 40b3.951c.20aa, node_type 64 for application > > 0x1 *Jun 16 01:05:25.991: dot11_auth_delete_client_entry: > > 40b3.951c.20aa is deleted for application 0x1 *Jun 16 01:05:25.991: > > dot11_auth_client_abort: Received abort request for client > > 40b3.951c.20aa *Jun 16 01:05:25.991: dot11_auth_client_abort: No > > client entry to abort: 40b3.951c.20aa for application 0x1 *Jun 16 > > 01:05:25.993: Outgoing SNMP packet *Jun 16 01:05:25.993: v1 packet > > *Jun 16 01:05:25.993: community string: public > > > > PACKETFENCE RADIUS DEBUG OUTPUT > > > rad_recv: Access-Request packet from host 192.168.200.4 port 1645, > > id=88, length=174 User-Name = "40b3951c20aa" User-Password = > > "40b3951c20aa" Called-Station-Id = "003a.9a55.5370" > > Calling-Station-Id = "40b3.951c.20aa" Cisco-AVPair = > > "ssid=Packetfence-OPEN" WISPr-Location-Name = "Demo Location" > > Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port > > = 325 NAS-Port-Id = "325" NAS-IP-Address = 192.168.200.4 > > NAS-Identifier = "PACKETFENCE-AP1" server packetfence { # Executing > > section authorize from file > > /usr/local/pf/raddb/sites-enabled/packetfence +group authorize { > > [suffix] No '@' in User-Name = "40b3951c20aa", looking up realm > > NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] > > = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] > > users: Matched entry DEFAULT at line 1 ++[files] = ok > > ++[expiration] = noop ++[logintime] = noop ++update request { > > expand: %{Packet-Src-IP-Address} -> 192.168.200.4 ++} # update > > request = noop ++update control { ++} # update control = noop > > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > > Added pair Service-Type = Login-User rlm_perl: Added pair > > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > > rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added > > pair NAS-Port = 325 rlm_perl: Added pair NAS-Port-Id = 325 > > rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: > > Added pair PacketFence-RPC-Pass = rlm_perl: Added pair > > PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair > > PacketFence-RPC-Proto = http rlm_perl: Added pair > > PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept > > rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = > > noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = > > Accept, accepting the user Login OK: [40b3951c20aa] (from client > > 192.168.200.4 port 325 cli 40b3.951c.20aa) } # server packetfence # > > Executing section post-auth from file > > /usr/local/pf/raddb/sites-enabled/packetfence +group post-auth { > > ++[exec] = noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && > > EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping > > (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if > > (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE > > ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { > > +++update control { +++} # update control = noop rlm_perl: > > Returning vlan 40 to request from 40:b3:95:1c:20:aa port 325 > > rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) > > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > > Added pair Service-Type = Login-User rlm_perl: Added pair > > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > > rlm_perl: Added pair NAS-Port = 325 rlm_perl: Added pair > > NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair > > WISPr-Location-Name = Demo Location rlm_perl: Added pair > > NAS-Port-Id = 325 rlm_perl: Added pair Tunnel-Private-Group-ID = > > 40 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair > > Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = > > rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: > > Added pair PacketFence-RPC-User = rlm_perl: Added pair > > PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = > > Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 > > +++[packetfence] = ok ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS > > && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending > > Access-Accept of id 88 to 192.168.200.4 port 1645 > > Tunnel-Private-Group-Id:0 = "40" Tunnel-Type:0 = VLAN > > Tunnel-Medium-Type:0 = IEEE-802 Finished request 0. Going to the > > next request Waking up in 4.9 seconds. rad_recv: Access-Request > > packet from host 192.168.200.4 port 1645, id=89, length=174 > > User-Name = "40b3951c20aa" User-Password = "40b3951c20aa" > > Called-Station-Id = "003a.9a55.5370" Calling-Station-Id = > > "40b3.951c.20aa" Cisco-AVPair = "ssid=Packetfence-OPEN" > > WISPr-Location-Name = "Demo Location" Service-Type = Login-User > > NAS-Port-Type = Wireless-802.11 NAS-Port = 326 NAS-Port-Id = "326" > > NAS-IP-Address = 192.168.200.4 NAS-Identifier = "PACKETFENCE-AP1" > > server packetfence { # Executing section authorize from file > > /usr/local/pf/raddb/sites-enabled/packetfence +group authorize { > > [suffix] No '@' in User-Name = "40b3951c20aa", looking up realm > > NULL [suffix] No such realm "NULL" ++[suffix] = noop ++[preprocess] > > = ok [eap] No EAP-Message, not doing EAP ++[eap] = noop [files] > > users: Matched entry DEFAULT at line 1 ++[files] = ok > > ++[expiration] = noop ++[logintime] = noop ++update request { > > expand: %{Packet-Src-IP-Address} -> 192.168.200.4 ++} # update > > request = noop ++update control { ++} # update control = noop > > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > > Added pair Service-Type = Login-User rlm_perl: Added pair > > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > > rlm_perl: Added pair NAS-IP-Address = 192.168.200.4 rlm_perl: Added > > pair NAS-Port = 326 rlm_perl: Added pair NAS-Port-Id = 326 > > rlm_perl: Added pair WISPr-Location-Name = Demo Location rlm_perl: > > Added pair PacketFence-RPC-Pass = rlm_perl: Added pair > > PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair > > PacketFence-RPC-Proto = http rlm_perl: Added pair > > PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = Accept > > rlm_perl: Added pair PacketFence-RPC-Port = 9090 ++[packetfence] = > > noop +} # group authorize = ok Found Auth-Type = Accept Auth-Type = > > Accept, accepting the user Login OK: [40b3951c20aa] (from client > > 192.168.200.4 port 326 cli 40b3.951c.20aa) } # server packetfence # > > Executing section post-auth from file > > /usr/local/pf/raddb/sites-enabled/packetfence +group post-auth { > > ++[exec] = noop ++? if (!EAP-Type || (EAP-Type != EAP-TTLS && > > EAP-Type != PEAP)) ? Evaluating !(EAP-Type ) -> TRUE ?? Skipping > > (EAP-Type != EAP-TTLS ) ?? Skipping (EAP-Type != PEAP) ++? if > > (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) -> TRUE > > ++if (!EAP-Type || (EAP-Type != EAP-TTLS && EAP-Type != PEAP)) { > > +++update control { +++} # update control = noop rlm_perl: > > Returning vlan 40 to request from 40:b3:95:1c:20:aa port 326 > > rlm_perl: PacketFence RESULT RESPONSE CODE: 2 (2 means OK) > > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: > > Added pair Service-Type = Login-User rlm_perl: Added pair > > Called-Station-Id = 003a.9a55.5370 rlm_perl: Added pair > > Calling-Station-Id = 40b3.951c.20aa rlm_perl: Added pair > > FreeRADIUS-Client-IP-Address = 192.168.200.4 rlm_perl: Added pair > > Cisco-AVPair = ssid=Packetfence-OPEN rlm_perl: Added pair User-Name > > = 40b3951c20aa rlm_perl: Added pair NAS-Identifier = > > PACKETFENCE-AP1 rlm_perl: Added pair User-Password = 40b3951c20aa > > rlm_perl: Added pair NAS-Port = 326 rlm_perl: Added pair > > NAS-IP-Address = 192.168.200.4 rlm_perl: Added pair > > WISPr-Location-Name = Demo Location rlm_perl: Added pair > > NAS-Port-Id = 326 rlm_perl: Added pair Tunnel-Private-Group-ID = > > 40 rlm_perl: Added pair Tunnel-Type = 13 rlm_perl: Added pair > > Tunnel-Medium-Type = 6 rlm_perl: Added pair PacketFence-RPC-Pass = > > rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: > > Added pair PacketFence-RPC-User = rlm_perl: Added pair > > PacketFence-RPC-Proto = http rlm_perl: Added pair Auth-Type = > > Accept rlm_perl: Added pair PacketFence-RPC-Port = 9090 > > +++[packetfence] = ok ++} # if (!EAP-Type || (EAP-Type != EAP-TTLS > > && EAP-Type != PEAP)) = ok +} # group post-auth = ok Sending > > Access-Accept of id 89 to 192.168.200.4 port 1645 > > Tunnel-Private-Group-Id:0 = "40" Tunnel-Type:0 = VLAN > > Tunnel-Medium-Type:0 = IEEE-802 Finished request 1. > > > > > > The information contained in this e-mail may be subject to public > > disclosure under the NHS Code of Openness or the Freedom of > > Information Act 2000. Unless the information is legally exempt, the > > confidentiality of this e-mail and your reply cannot be > > guaranteed. Unless expressly stated otherwise, the information > > contained in this e-mail is intended for the named recipient(s) > > only. If you are not the intended recipient you must not copy, > > distribute, or take any action or reliance upon it. If you have > > received this e-mail in error, please notify the sender. Any > > unauthorised disclosure of the information contained in this e-mail > > is strictly prohibited. > > > > ------------------------------------------------------------------------------ > > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > > from Actuate! Instantly Supercharge Your Business Reports and > > Dashboards with Interactivity, Sharing, Native Excel Exports, App > > Integration & more Get technology previously reserved for > > billion-dollar corporations, FREE > > > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ________________________________________ > The information contained in this e-mail may be subject to public disclosure > under the NHS Code of Openness or the Freedom of Information Act 2000. > Unless the information is legally exempt, the confidentiality of this e-mail > and your reply cannot be guaranteed. > Unless expressly stated otherwise, the information contained in this e-mail > is intended for the named recipient(s) only. If you are not the intended > recipient you must not copy, distribute, or take any action or reliance upon > it. If you have received this e-mail in error, please notify the sender. Any > unauthorised disclosure of the information contained in this e-mail is > strictly prohibited. > > > The information contained in this e-mail may be subject to public disclosure > under the NHS Code of Openness or the Freedom of Information Act 2000. > Unless the information is legally exempt, the confidentiality of this e-mail > and your reply cannot be guaranteed. > Unless expressly stated otherwise, the information contained in this e-mail > is intended for the named recipient(s) only. If you are not the intended > recipient you must not copy, distribute, or take any action or reliance upon > it. If you have received this e-mail in error, please notify the sender. Any > unauthorised disclosure of the information contained in this e-mail is > strictly prohibited. > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
