I want to use roles. :) Sent from my iPhone
> On Apr 28, 2015, at 8:54 AM, Fabrice DURAND <[email protected]> wrote: > > Or the other solution is just to uncheck "Role by Switch Role" or leave > the role blank. > > Also to help to configure the Aruba Controller with PacketFence, follow > this instruction and just change Clearpass by PacketFence. > http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-integrate-Aruba-Controller-with-CPPM-to-perform-Captive/ta-p/192291 > > Regards > Fabrice > > Le 2015-04-28 08:21, Tim DeNike a écrit : >> sub radiusDisconnect is the culprit if you have roles enabled on the >> switch config. >> >> The Aruba module sends a COA to change the role instead of a >> disconnect if you want it to change VLANs. >> >> # if ( defined($role) && (defined($node_info->{'status'}) && >> isenabled($self->{_RoleMap}) ) ) { >> >> # $attributes_ref = { >> # %$attributes_ref, >> # 'Filter-Id' => $role, >> # }; >> # $logger->info("[$self->{'_ip'}] Returning ACCEPT with >> role: $role"); >> # $response = perform_coa($connection_info, $attributes_ref); >> # >> # } >> # else { >> $response = perform_disconnect($connection_info, >> $attributes_ref); >> # } >> >> Commenting out these fields and leaving only the one makes it work. >> >> On Wed, Jan 14, 2015 at 10:54 AM, Fabrice DURAND <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi Lee, >> >> first it look that mac authentication is missing on the Aruba side. >> When a device try to connect to the SSID a radius request must be sent >> to packetfence. >> Then packetfence will be able to know on which controller the >> device is >> connected. >> >> Fix that and paste the log after. >> Regards >> Fabrice >> >> Le 2015-01-13 08:25, Lee Wilson a écrit : >>> Lee Wilson <leefm40@...> writes: >>>> Been messing around with this over the XMas break and think >> I've made >>>> some good progress but still not able to get access once >> registered on >>>> PacketFence. >>>> >>>> This is what happens so far. >>>> 1) User connects to open SSID and is redirected by the Aruba >>> controller >>>> to the portal URL running on packetfence >>>> 2) PacketFence prompts for registration which I complete >>>> 3) PacketFence then try to access the detection.gif using the 10 >>> minute >>>> temporary access but is unable to as the user is still in the >>>> registration role on the Aruba. >>>> >>>>> From what I've read about RFC 3576 the RADIUS server on >> PacketFence >>>> should send a request back to the controller in order to the change >>> the >>>> role rather than the aruba asking RADIUS for the information. >> Is this >>>> correct? >>>> >>>> I've ran a tcpdump on the PacketFence server and can see it neither >>>> receiving or sending any RADIUS packets to the Aruba >> controller, debug >>>> logs aren't much use either. If I run an AAA test on the Aruba the >>> test >>>> comes back as successful. >>>> >>>> On a side note, should the switch mode on PacketFence be >> Registration >>> or >>>> Production for the Aruba controller? I've tried but with no >>> difference. >>>> Bit stumped where to go from here, any suggestions? >>>> >>>> Thanks for your help so far >>>> >>>> Lee >>> I have a more detailed look at the logs and it seems as though >>> Packetfence doesn't think I've added the Aruba as a switch. This >> is what >>> is logged as I register via the portal: >>> >>> ==> ../logs/pfdhcplistener.log <== >>> Jan 13 11:52:03 pfdhcplistener(6961) INFO: Unseen before node added: >>> 00:xx:xx:xx:xx:xx (main::listen_dhcp) >>> Jan 13 11:52:04 pfdhcplistener(6961) INFO: DHCPREQUEST from >>> 00:xx:xx:xx:xx:xx (192.168.x.x) (main::parse_dhcp_request) >>> Jan 13 11:52:04 pfdhcplistener(6961) WARN: unable to resolve >>> 00:xx:xx:xx:xx:xx to ip (pf::iplog::mac2ip) >>> >>> ==> ../logs/pfdhcplistener.log <== >>> Jan 13 11:52:12 pfdhcplistener(6961) INFO: 00:xx:xx:xx:xx:xx >> requested >>> an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or >> Server >>> 2008 (Version 6.0)). Modified node with last_dhcp = 2015-01-13 >>> 11:52:10,computername = TESTLAPTOP,dhcp_fingerprint = >> x,x,x,x,x,x,x,x >>> (main::listen_dhcp) >>> >>> >>> ==> ../logs/packetfence.log <== >>> Jan 13 11:52:18 httpd.portal(6922) ERROR: WARNING ! Unknown >> switch(es) >>> (pf::SwitchFactory::instantiate) >>> Jan 13 11:52:19 httpd.portal(6920) ERROR: WARNING ! Unknown >> switch(es) >>> (pf::SwitchFactory::instantiate) >>> >>> >>> ==> ../logs/pfdhcplistener.log <== >>> Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK from 192.168.x.x >>> (00:xx:xx:xx:xx:xx to host 00:xx:xx:xx:xx:xx (192.168.x.x) for 1600 >>> seconds (main::parse_dhcp_ack) >>> Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK CIADDR from >>> 192.168.x.x (00:xx:xx:xx:xx:xx) to host 00:xx:xx:xx:xx:xx >> (192.168.x.x) >>> (main::parse_dhcp_ack) >>> >>> >>> ==> ../logs/packetfence.log <== >>> Jan 13 11:52:27 httpd.portal(6921) ERROR: WARNING ! Unknown >> switch(es) >>> (pf::SwitchFactory::instantiate) >>> Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] >> Updating >>> node user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; >>> Windows NT 6.1; WOW64; Trident/4.0)' >> (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAg >>> ent) >>> Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] >> redirected >>> to default >> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe >>> gister) >>> Jan 13 11:53:49 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx] >> redirected >>> to authentication page >> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe >>> gister) >>> Jan 13 11:54:14 httpd.portal(6923) ERROR: WARNING ! Unknown >> switch(es) >>> (pf::SwitchFactory::instantiate) >>> Jan 13 11:56:46 httpd.portal(7246) INFO: registering >> 00:xx:xx:xx:xx:xx >>> guest by email >> (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration >>> ) >>> Jan 13 11:56:46 httpd.portal(7246) INFO: Matched rule (catchall) in >>> source email, returning actions. (pf::Authentication::Source::match) >>> Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected] >> <mailto:[email protected]> added >>> (pf::person::person_add) >>> Jan 13 11:56:46 httpd.portal(7246) WARN: modify of non-existent >> person >>> [email protected] <mailto:[email protected]> attempted - person >> added (pf::person::person_modify) >>> Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected] >> <mailto:[email protected]> >>> modified to [email protected] <mailto:[email protected]> >> (pf::person::person_modify) >>> Jan 13 11:56:46 httpd.portal(7246) INFO: [00:xx:xx:xx:xx:xx] re- >>> evaluating access (manage_register called) >>> (pf::enforcement::reevaluate_access) >>> Jan 13 11:56:46 httpd.portal(7246) WARN: [00:xx:xx:xx:xx:xx] >> Can't re- >>> evaluate access because no open locationlog entry was found >>> (pf::enforcement::reevaluate_access) >>> Jan 13 11:56:46 httpd.portal(7246) INFO: new activation code >>> successfully generated (pf::activation::create) >>> Jan 13 11:56:48 httpd.portal(7246) INFO: Email sent to >> [email protected] <mailto:[email protected]> >>> (example.com <http://example.com>: Email activation required) >> (pf::activation::__ANON__) >>> Jan 13 11:56:57 httpd.portal(7247) ERROR: WARNING ! Unknown >> switch(es) >>> (pf::SwitchFactory::instantiate) >>> Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] >> shouldn't >>> reach here. Calling access re-evaluation. Make sure your network >> device >>> configuration is correct. >> (captiveportal::PacketFence::Controller::CaptivePortal::unknownState) >>> Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] re- >>> evaluating access (redir.cgi called) >>> (pf::enforcement::reevaluate_access) >>> Jan 13 11:56:57 httpd.portal(7242) WARN: [00:xx:xx:xx:xx:xx] >> Can't re- >>> evaluate access because no open locationlog entry was found >>> (pf::enforcement::reevaluate_access) >>> >>> I've deleted and readded the switch (Aruba Controller) as well as >>> confirming it exists in switches.conf and radius_nas in MySQL. >>> >>> How does PacketFence know which switch to inform about the change of >>> role based on the capture portal profile? I can't see any >> communicate >>> between them to indicate they are aware of each other (RADIUS or >> CoA). >>> >>> Help would be really be appreciated as I'm completely stumped as to >>> where to go from here. >>> >>> Lee >> >> ------------------------------------------------------------------------------ >>> New Year. New Location. New Benefits. New Data Center in >> Ashburn, VA. >>> GigeNET is offering a free month of service with a new server in >> Ashburn. >>> Choose from 2 high performing configs, both with 100TB of bandwidth. >>> Higher redundancy.Lower latency.Increased capacity.Completely >> compliant. >>> http://p.sf.net/sfu/gigenet >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> -- >> Fabrice Durand >> [email protected] <mailto:[email protected]> :: +1.514.447.4918 >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca >> <http://www.inverse.ca> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >> PacketFence (http://packetfence.org) >> >> >> >> ------------------------------------------------------------------------------ >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA. >> GigeNET is offering a free month of service with a new server in >> Ashburn. >> Choose from 2 high performing configs, both with 100TB of bandwidth. >> Higher redundancy.Lower latency.Increased capacity.Completely >> compliant. >> http://p.sf.net/sfu/gigenet >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> >> >> ------------------------------------------------------------------------------ >> One dashboard for servers and applications across Physical-Virtual-Cloud >> Widest out-of-the-box monitoring support with 50+ applications >> Performance metrics, stats and reports that give you Actionable Insights >> Deep dive visibility with transaction tracing using APM Insight. >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Fabrice Durand > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > <0xF78F957E.asc> > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
