Hi Lee, first it look that mac authentication is missing on the Aruba side. When a device try to connect to the SSID a radius request must be sent to packetfence. Then packetfence will be able to know on which controller the device is connected.
Fix that and paste the log after. Regards Fabrice Le 2015-01-13 08:25, Lee Wilson a écrit : > Lee Wilson <leefm40@...> writes: >> Been messing around with this over the XMas break and think I've made >> some good progress but still not able to get access once registered on >> PacketFence. >> >> This is what happens so far. >> 1) User connects to open SSID and is redirected by the Aruba > controller >> to the portal URL running on packetfence >> 2) PacketFence prompts for registration which I complete >> 3) PacketFence then try to access the detection.gif using the 10 > minute >> temporary access but is unable to as the user is still in the >> registration role on the Aruba. >> >> >From what I've read about RFC 3576 the RADIUS server on PacketFence >> should send a request back to the controller in order to the change > the >> role rather than the aruba asking RADIUS for the information. Is this >> correct? >> >> I've ran a tcpdump on the PacketFence server and can see it neither >> receiving or sending any RADIUS packets to the Aruba controller, debug >> logs aren't much use either. If I run an AAA test on the Aruba the > test >> comes back as successful. >> >> On a side note, should the switch mode on PacketFence be Registration > or >> Production for the Aruba controller? I've tried but with no > difference. >> Bit stumped where to go from here, any suggestions? >> >> Thanks for your help so far >> >> Lee >> > I have a more detailed look at the logs and it seems as though > Packetfence doesn't think I've added the Aruba as a switch. This is what > is logged as I register via the portal: > > ==> ../logs/pfdhcplistener.log <== > Jan 13 11:52:03 pfdhcplistener(6961) INFO: Unseen before node added: > 00:xx:xx:xx:xx:xx (main::listen_dhcp) > Jan 13 11:52:04 pfdhcplistener(6961) INFO: DHCPREQUEST from > 00:xx:xx:xx:xx:xx (192.168.x.x) (main::parse_dhcp_request) > Jan 13 11:52:04 pfdhcplistener(6961) WARN: unable to resolve > 00:xx:xx:xx:xx:xx to ip (pf::iplog::mac2ip) > > ==> ../logs/pfdhcplistener.log <== > Jan 13 11:52:12 pfdhcplistener(6961) INFO: 00:xx:xx:xx:xx:xx requested > an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server > 2008 (Version 6.0)). Modified node with last_dhcp = 2015-01-13 > 11:52:10,computername = TESTLAPTOP,dhcp_fingerprint = x,x,x,x,x,x,x,x > (main::listen_dhcp) > > > ==> ../logs/packetfence.log <== > Jan 13 11:52:18 httpd.portal(6922) ERROR: WARNING ! Unknown switch(es) > (pf::SwitchFactory::instantiate) > Jan 13 11:52:19 httpd.portal(6920) ERROR: WARNING ! Unknown switch(es) > (pf::SwitchFactory::instantiate) > > > ==> ../logs/pfdhcplistener.log <== > Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK from 192.168.x.x > (00:xx:xx:xx:xx:xx to host 00:xx:xx:xx:xx:xx (192.168.x.x) for 1600 > seconds (main::parse_dhcp_ack) > Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK CIADDR from > 192.168.x.x (00:xx:xx:xx:xx:xx) to host 00:xx:xx:xx:xx:xx (192.168.x.x) > (main::parse_dhcp_ack) > > > ==> ../logs/packetfence.log <== > Jan 13 11:52:27 httpd.portal(6921) ERROR: WARNING ! Unknown switch(es) > (pf::SwitchFactory::instantiate) > Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] Updating > node user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; > Windows NT 6.1; WOW64; Trident/4.0)' > (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAg > ent) > Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] redirected > to default > (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe > gister) > Jan 13 11:53:49 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] redirected > to authentication page > (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe > gister) > Jan 13 11:54:14 httpd.portal(6923) ERROR: WARNING ! Unknown switch(es) > (pf::SwitchFactory::instantiate) > Jan 13 11:56:46 httpd.portal(7246) INFO: registering 00:xx:xx:xx:xx:xx > guest by email > (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration > ) > Jan 13 11:56:46 httpd.portal(7246) INFO: Matched rule (catchall) in > source email, returning actions. (pf::Authentication::Source::match) > Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected] added > (pf::person::person_add) > Jan 13 11:56:46 httpd.portal(7246) WARN: modify of non-existent person > [email protected] attempted - person added (pf::person::person_modify) > Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected] > modified to [email protected] (pf::person::person_modify) > Jan 13 11:56:46 httpd.portal(7246) INFO: [00:xx:xx:xx:xx:xx] re- > evaluating access (manage_register called) > (pf::enforcement::reevaluate_access) > Jan 13 11:56:46 httpd.portal(7246) WARN: [00:xx:xx:xx:xx:xx] Can't re- > evaluate access because no open locationlog entry was found > (pf::enforcement::reevaluate_access) > Jan 13 11:56:46 httpd.portal(7246) INFO: new activation code > successfully generated (pf::activation::create) > Jan 13 11:56:48 httpd.portal(7246) INFO: Email sent to [email protected] > (example.com: Email activation required) (pf::activation::__ANON__) > Jan 13 11:56:57 httpd.portal(7247) ERROR: WARNING ! Unknown switch(es) > (pf::SwitchFactory::instantiate) > Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] shouldn't > reach here. Calling access re-evaluation. Make sure your network device > configuration is correct. > (captiveportal::PacketFence::Controller::CaptivePortal::unknownState) > Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] re- > evaluating access (redir.cgi called) > (pf::enforcement::reevaluate_access) > Jan 13 11:56:57 httpd.portal(7242) WARN: [00:xx:xx:xx:xx:xx] Can't re- > evaluate access because no open locationlog entry was found > (pf::enforcement::reevaluate_access) > > I've deleted and readded the switch (Aruba Controller) as well as > confirming it exists in switches.conf and radius_nas in MySQL. > > How does PacketFence know which switch to inform about the change of > role based on the capture portal profile? I can't see any communicate > between them to indicate they are aware of each other (RADIUS or CoA). > > Help would be really be appreciated as I'm completely stumped as to > where to go from here. > > Lee > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
