sub radiusDisconnect is the culprit if you have roles enabled on the switch
config.
The Aruba module sends a COA to change the role instead of a disconnect if
you want it to change VLANs.
# if ( defined($role) && (defined($node_info->{'status'}) &&
isenabled($self->{_RoleMap}) ) ) {
# $attributes_ref = {
# %$attributes_ref,
# 'Filter-Id' => $role,
# };
# $logger->info("[$self->{'_ip'}] Returning ACCEPT with role:
$role");
# $response = perform_coa($connection_info, $attributes_ref);
#
# }
# else {
$response = perform_disconnect($connection_info,
$attributes_ref);
# }
Commenting out these fields and leaving only the one makes it work.
On Wed, Jan 14, 2015 at 10:54 AM, Fabrice DURAND <[email protected]> wrote:
> Hi Lee,
>
> first it look that mac authentication is missing on the Aruba side.
> When a device try to connect to the SSID a radius request must be sent
> to packetfence.
> Then packetfence will be able to know on which controller the device is
> connected.
>
> Fix that and paste the log after.
> Regards
> Fabrice
>
> Le 2015-01-13 08:25, Lee Wilson a écrit :
> > Lee Wilson <leefm40@...> writes:
> >> Been messing around with this over the XMas break and think I've made
> >> some good progress but still not able to get access once registered on
> >> PacketFence.
> >>
> >> This is what happens so far.
> >> 1) User connects to open SSID and is redirected by the Aruba
> > controller
> >> to the portal URL running on packetfence
> >> 2) PacketFence prompts for registration which I complete
> >> 3) PacketFence then try to access the detection.gif using the 10
> > minute
> >> temporary access but is unable to as the user is still in the
> >> registration role on the Aruba.
> >>
> >> >From what I've read about RFC 3576 the RADIUS server on PacketFence
> >> should send a request back to the controller in order to the change
> > the
> >> role rather than the aruba asking RADIUS for the information. Is this
> >> correct?
> >>
> >> I've ran a tcpdump on the PacketFence server and can see it neither
> >> receiving or sending any RADIUS packets to the Aruba controller, debug
> >> logs aren't much use either. If I run an AAA test on the Aruba the
> > test
> >> comes back as successful.
> >>
> >> On a side note, should the switch mode on PacketFence be Registration
> > or
> >> Production for the Aruba controller? I've tried but with no
> > difference.
> >> Bit stumped where to go from here, any suggestions?
> >>
> >> Thanks for your help so far
> >>
> >> Lee
> >>
> > I have a more detailed look at the logs and it seems as though
> > Packetfence doesn't think I've added the Aruba as a switch. This is what
> > is logged as I register via the portal:
> >
> > ==> ../logs/pfdhcplistener.log <==
> > Jan 13 11:52:03 pfdhcplistener(6961) INFO: Unseen before node added:
> > 00:xx:xx:xx:xx:xx (main::listen_dhcp)
> > Jan 13 11:52:04 pfdhcplistener(6961) INFO: DHCPREQUEST from
> > 00:xx:xx:xx:xx:xx (192.168.x.x) (main::parse_dhcp_request)
> > Jan 13 11:52:04 pfdhcplistener(6961) WARN: unable to resolve
> > 00:xx:xx:xx:xx:xx to ip (pf::iplog::mac2ip)
> >
> > ==> ../logs/pfdhcplistener.log <==
> > Jan 13 11:52:12 pfdhcplistener(6961) INFO: 00:xx:xx:xx:xx:xx requested
> > an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server
> > 2008 (Version 6.0)). Modified node with last_dhcp = 2015-01-13
> > 11:52:10,computername = TESTLAPTOP,dhcp_fingerprint = x,x,x,x,x,x,x,x
> > (main::listen_dhcp)
> >
> >
> > ==> ../logs/packetfence.log <==
> > Jan 13 11:52:18 httpd.portal(6922) ERROR: WARNING ! Unknown switch(es)
> > (pf::SwitchFactory::instantiate)
> > Jan 13 11:52:19 httpd.portal(6920) ERROR: WARNING ! Unknown switch(es)
> > (pf::SwitchFactory::instantiate)
> >
> >
> > ==> ../logs/pfdhcplistener.log <==
> > Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK from 192.168.x.x
> > (00:xx:xx:xx:xx:xx to host 00:xx:xx:xx:xx:xx (192.168.x.x) for 1600
> > seconds (main::parse_dhcp_ack)
> > Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK CIADDR from
> > 192.168.x.x (00:xx:xx:xx:xx:xx) to host 00:xx:xx:xx:xx:xx (192.168.x.x)
> > (main::parse_dhcp_ack)
> >
> >
> > ==> ../logs/packetfence.log <==
> > Jan 13 11:52:27 httpd.portal(6921) ERROR: WARNING ! Unknown switch(es)
> > (pf::SwitchFactory::instantiate)
> > Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] Updating
> > node user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0;
> > Windows NT 6.1; WOW64; Trident/4.0)'
> > (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAg
> > ent)
> > Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] redirected
> > to default
> > (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe
> > gister)
> > Jan 13 11:53:49 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] redirected
> > to authentication page
> > (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe
> > gister)
> > Jan 13 11:54:14 httpd.portal(6923) ERROR: WARNING ! Unknown switch(es)
> > (pf::SwitchFactory::instantiate)
> > Jan 13 11:56:46 httpd.portal(7246) INFO: registering 00:xx:xx:xx:xx:xx
> > guest by email
> > (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration
> > )
> > Jan 13 11:56:46 httpd.portal(7246) INFO: Matched rule (catchall) in
> > source email, returning actions. (pf::Authentication::Source::match)
> > Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected] added
> > (pf::person::person_add)
> > Jan 13 11:56:46 httpd.portal(7246) WARN: modify of non-existent person
> > [email protected] attempted - person added (pf::person::person_modify)
> > Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected]
> > modified to [email protected] (pf::person::person_modify)
> > Jan 13 11:56:46 httpd.portal(7246) INFO: [00:xx:xx:xx:xx:xx] re-
> > evaluating access (manage_register called)
> > (pf::enforcement::reevaluate_access)
> > Jan 13 11:56:46 httpd.portal(7246) WARN: [00:xx:xx:xx:xx:xx] Can't re-
> > evaluate access because no open locationlog entry was found
> > (pf::enforcement::reevaluate_access)
> > Jan 13 11:56:46 httpd.portal(7246) INFO: new activation code
> > successfully generated (pf::activation::create)
> > Jan 13 11:56:48 httpd.portal(7246) INFO: Email sent to [email protected]
> > (example.com: Email activation required) (pf::activation::__ANON__)
> > Jan 13 11:56:57 httpd.portal(7247) ERROR: WARNING ! Unknown switch(es)
> > (pf::SwitchFactory::instantiate)
> > Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] shouldn't
> > reach here. Calling access re-evaluation. Make sure your network device
> > configuration is correct.
> > (captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
> > Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] re-
> > evaluating access (redir.cgi called)
> > (pf::enforcement::reevaluate_access)
> > Jan 13 11:56:57 httpd.portal(7242) WARN: [00:xx:xx:xx:xx:xx] Can't re-
> > evaluate access because no open locationlog entry was found
> > (pf::enforcement::reevaluate_access)
> >
> > I've deleted and readded the switch (Aruba Controller) as well as
> > confirming it exists in switches.conf and radius_nas in MySQL.
> >
> > How does PacketFence know which switch to inform about the change of
> > role based on the capture portal profile? I can't see any communicate
> > between them to indicate they are aware of each other (RADIUS or CoA).
> >
> > Help would be really be appreciated as I'm completely stumped as to
> > where to go from here.
> >
> > Lee
> >
> >
> >
> ------------------------------------------------------------------------------
> > New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> > GigeNET is offering a free month of service with a new server in Ashburn.
> > Choose from 2 high performing configs, both with 100TB of bandwidth.
> > Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> > http://p.sf.net/sfu/gigenet
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (
> http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
