I was playing with this a little bit today. I had to remove the
Acct-Session-ID from the Aruba.PM because the Aruba always said session not
found. Might be because I was connected with dot1x, then moved to a mac
based SSID.
On Tue, Apr 28, 2015 at 9:01 AM, Tim DeNike <[email protected]> wrote:
> I want to use roles. :)
>
> Sent from my iPhone
>
> > On Apr 28, 2015, at 8:54 AM, Fabrice DURAND <[email protected]> wrote:
> >
> > Or the other solution is just to uncheck "Role by Switch Role" or leave
> > the role blank.
> >
> > Also to help to configure the Aruba Controller with PacketFence, follow
> > this instruction and just change Clearpass by PacketFence.
> >
> http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-integrate-Aruba-Controller-with-CPPM-to-perform-Captive/ta-p/192291
> >
> > Regards
> > Fabrice
> >
> > Le 2015-04-28 08:21, Tim DeNike a écrit :
> >> sub radiusDisconnect is the culprit if you have roles enabled on the
> >> switch config.
> >>
> >> The Aruba module sends a COA to change the role instead of a
> >> disconnect if you want it to change VLANs.
> >>
> >> # if ( defined($role) && (defined($node_info->{'status'}) &&
> >> isenabled($self->{_RoleMap}) ) ) {
> >>
> >> # $attributes_ref = {
> >> # %$attributes_ref,
> >> # 'Filter-Id' => $role,
> >> # };
> >> # $logger->info("[$self->{'_ip'}] Returning ACCEPT with
> >> role: $role");
> >> # $response = perform_coa($connection_info, $attributes_ref);
> >> #
> >> # }
> >> # else {
> >> $response = perform_disconnect($connection_info,
> >> $attributes_ref);
> >> # }
> >>
> >> Commenting out these fields and leaving only the one makes it work.
> >>
> >> On Wed, Jan 14, 2015 at 10:54 AM, Fabrice DURAND <[email protected]
> >> <mailto:[email protected]>> wrote:
> >>
> >> Hi Lee,
> >>
> >> first it look that mac authentication is missing on the Aruba side.
> >> When a device try to connect to the SSID a radius request must be
> sent
> >> to packetfence.
> >> Then packetfence will be able to know on which controller the
> >> device is
> >> connected.
> >>
> >> Fix that and paste the log after.
> >> Regards
> >> Fabrice
> >>
> >> Le 2015-01-13 08:25, Lee Wilson a écrit :
> >>> Lee Wilson <leefm40@...> writes:
> >>>> Been messing around with this over the XMas break and think
> >> I've made
> >>>> some good progress but still not able to get access once
> >> registered on
> >>>> PacketFence.
> >>>>
> >>>> This is what happens so far.
> >>>> 1) User connects to open SSID and is redirected by the Aruba
> >>> controller
> >>>> to the portal URL running on packetfence
> >>>> 2) PacketFence prompts for registration which I complete
> >>>> 3) PacketFence then try to access the detection.gif using the 10
> >>> minute
> >>>> temporary access but is unable to as the user is still in the
> >>>> registration role on the Aruba.
> >>>>
> >>>>> From what I've read about RFC 3576 the RADIUS server on
> >> PacketFence
> >>>> should send a request back to the controller in order to the change
> >>> the
> >>>> role rather than the aruba asking RADIUS for the information.
> >> Is this
> >>>> correct?
> >>>>
> >>>> I've ran a tcpdump on the PacketFence server and can see it neither
> >>>> receiving or sending any RADIUS packets to the Aruba
> >> controller, debug
> >>>> logs aren't much use either. If I run an AAA test on the Aruba the
> >>> test
> >>>> comes back as successful.
> >>>>
> >>>> On a side note, should the switch mode on PacketFence be
> >> Registration
> >>> or
> >>>> Production for the Aruba controller? I've tried but with no
> >>> difference.
> >>>> Bit stumped where to go from here, any suggestions?
> >>>>
> >>>> Thanks for your help so far
> >>>>
> >>>> Lee
> >>> I have a more detailed look at the logs and it seems as though
> >>> Packetfence doesn't think I've added the Aruba as a switch. This
> >> is what
> >>> is logged as I register via the portal:
> >>>
> >>> ==> ../logs/pfdhcplistener.log <==
> >>> Jan 13 11:52:03 pfdhcplistener(6961) INFO: Unseen before node added:
> >>> 00:xx:xx:xx:xx:xx (main::listen_dhcp)
> >>> Jan 13 11:52:04 pfdhcplistener(6961) INFO: DHCPREQUEST from
> >>> 00:xx:xx:xx:xx:xx (192.168.x.x) (main::parse_dhcp_request)
> >>> Jan 13 11:52:04 pfdhcplistener(6961) WARN: unable to resolve
> >>> 00:xx:xx:xx:xx:xx to ip (pf::iplog::mac2ip)
> >>>
> >>> ==> ../logs/pfdhcplistener.log <==
> >>> Jan 13 11:52:12 pfdhcplistener(6961) INFO: 00:xx:xx:xx:xx:xx
> >> requested
> >>> an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or
> >> Server
> >>> 2008 (Version 6.0)). Modified node with last_dhcp = 2015-01-13
> >>> 11:52:10,computername = TESTLAPTOP,dhcp_fingerprint =
> >> x,x,x,x,x,x,x,x
> >>> (main::listen_dhcp)
> >>>
> >>>
> >>> ==> ../logs/packetfence.log <==
> >>> Jan 13 11:52:18 httpd.portal(6922) ERROR: WARNING ! Unknown
> >> switch(es)
> >>> (pf::SwitchFactory::instantiate)
> >>> Jan 13 11:52:19 httpd.portal(6920) ERROR: WARNING ! Unknown
> >> switch(es)
> >>> (pf::SwitchFactory::instantiate)
> >>>
> >>>
> >>> ==> ../logs/pfdhcplistener.log <==
> >>> Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK from 192.168.x.x
> >>> (00:xx:xx:xx:xx:xx to host 00:xx:xx:xx:xx:xx (192.168.x.x) for 1600
> >>> seconds (main::parse_dhcp_ack)
> >>> Jan 13 11:52:21 pfdhcplistener(6961) INFO: DHCPACK CIADDR from
> >>> 192.168.x.x (00:xx:xx:xx:xx:xx) to host 00:xx:xx:xx:xx:xx
> >> (192.168.x.x)
> >>> (main::parse_dhcp_ack)
> >>>
> >>>
> >>> ==> ../logs/packetfence.log <==
> >>> Jan 13 11:52:27 httpd.portal(6921) ERROR: WARNING ! Unknown
> >> switch(es)
> >>> (pf::SwitchFactory::instantiate)
> >>> Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx]
> >> Updating
> >>> node user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0;
> >>> Windows NT 6.1; WOW64; Trident/4.0)'
> >>
> (captiveportal::PacketFence::Controller::CaptivePortal::nodeRecordUserAg
> >>> ent)
> >>> Jan 13 11:53:48 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx]
> >> redirected
> >>> to default
> >>
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe
> >>> gister)
> >>> Jan 13 11:53:49 httpd.portal(6926) INFO: [00:xx:xx:xx:xx:xx]
> >> redirected
> >>> to authentication page
> >>
> (captiveportal::PacketFence::Controller::CaptivePortal::checkIfNeedsToRe
> >>> gister)
> >>> Jan 13 11:54:14 httpd.portal(6923) ERROR: WARNING ! Unknown
> >> switch(es)
> >>> (pf::SwitchFactory::instantiate)
> >>> Jan 13 11:56:46 httpd.portal(7246) INFO: registering
> >> 00:xx:xx:xx:xx:xx
> >>> guest by email
> >>
> (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration
> >>> )
> >>> Jan 13 11:56:46 httpd.portal(7246) INFO: Matched rule (catchall) in
> >>> source email, returning actions. (pf::Authentication::Source::match)
> >>> Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected]
> >> <mailto:[email protected]> added
> >>> (pf::person::person_add)
> >>> Jan 13 11:56:46 httpd.portal(7246) WARN: modify of non-existent
> >> person
> >>> [email protected] <mailto:[email protected]> attempted - person
> >> added (pf::person::person_modify)
> >>> Jan 13 11:56:46 httpd.portal(7246) INFO: person [email protected]
> >> <mailto:[email protected]>
> >>> modified to [email protected] <mailto:[email protected]>
> >> (pf::person::person_modify)
> >>> Jan 13 11:56:46 httpd.portal(7246) INFO: [00:xx:xx:xx:xx:xx] re-
> >>> evaluating access (manage_register called)
> >>> (pf::enforcement::reevaluate_access)
> >>> Jan 13 11:56:46 httpd.portal(7246) WARN: [00:xx:xx:xx:xx:xx]
> >> Can't re-
> >>> evaluate access because no open locationlog entry was found
> >>> (pf::enforcement::reevaluate_access)
> >>> Jan 13 11:56:46 httpd.portal(7246) INFO: new activation code
> >>> successfully generated (pf::activation::create)
> >>> Jan 13 11:56:48 httpd.portal(7246) INFO: Email sent to
> >> [email protected] <mailto:[email protected]>
> >>> (example.com <http://example.com>: Email activation required)
> >> (pf::activation::__ANON__)
> >>> Jan 13 11:56:57 httpd.portal(7247) ERROR: WARNING ! Unknown
> >> switch(es)
> >>> (pf::SwitchFactory::instantiate)
> >>> Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx]
> >> shouldn't
> >>> reach here. Calling access re-evaluation. Make sure your network
> >> device
> >>> configuration is correct.
> >> (captiveportal::PacketFence::Controller::CaptivePortal::unknownState)
> >>> Jan 13 11:56:57 httpd.portal(7242) INFO: [00:xx:xx:xx:xx:xx] re-
> >>> evaluating access (redir.cgi called)
> >>> (pf::enforcement::reevaluate_access)
> >>> Jan 13 11:56:57 httpd.portal(7242) WARN: [00:xx:xx:xx:xx:xx]
> >> Can't re-
> >>> evaluate access because no open locationlog entry was found
> >>> (pf::enforcement::reevaluate_access)
> >>>
> >>> I've deleted and readded the switch (Aruba Controller) as well as
> >>> confirming it exists in switches.conf and radius_nas in MySQL.
> >>>
> >>> How does PacketFence know which switch to inform about the change of
> >>> role based on the capture portal profile? I can't see any
> >> communicate
> >>> between them to indicate they are aware of each other (RADIUS or
> >> CoA).
> >>>
> >>> Help would be really be appreciated as I'm completely stumped as to
> >>> where to go from here.
> >>>
> >>> Lee
> >>
> ------------------------------------------------------------------------------
> >>> New Year. New Location. New Benefits. New Data Center in
> >> Ashburn, VA.
> >>> GigeNET is offering a free month of service with a new server in
> >> Ashburn.
> >>> Choose from 2 high performing configs, both with 100TB of bandwidth.
> >>> Higher redundancy.Lower latency.Increased capacity.Completely
> >> compliant.
> >>> http://p.sf.net/sfu/gigenet
> >>> _______________________________________________
> >>> PacketFence-users mailing list
> >>> [email protected]
> >> <mailto:[email protected]>
> >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>
> >>
> >> --
> >> Fabrice Durand
> >> [email protected] <mailto:[email protected]> :: +1.514.447.4918
> >> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
> >> <http://www.inverse.ca>
> >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> >> PacketFence (http://packetfence.org)
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> >> GigeNET is offering a free month of service with a new server in
> >> Ashburn.
> >> Choose from 2 high performing configs, both with 100TB of bandwidth.
> >> Higher redundancy.Lower latency.Increased capacity.Completely
> >> compliant.
> >> http://p.sf.net/sfu/gigenet
> >> _______________________________________________
> >> PacketFence-users mailing list
> >> [email protected]
> >> <mailto:[email protected]>
> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >>
> >>
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> One dashboard for servers and applications across Physical-Virtual-Cloud
> >> Widest out-of-the-box monitoring support with 50+ applications
> >> Performance metrics, stats and reports that give you Actionable Insights
> >> Deep dive visibility with transaction tracing using APM Insight.
> >> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> >>
> >>
> >> _______________________________________________
> >> PacketFence-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users
> >
> >
> > --
> > Fabrice Durand
> > [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
> PacketFence (http://packetfence.org)
> >
> > <0xF78F957E.asc>
> >
> ------------------------------------------------------------------------------
> > One dashboard for servers and applications across Physical-Virtual-Cloud
> > Widest out-of-the-box monitoring support with 50+ applications
> > Performance metrics, stats and reports that give you Actionable Insights
> > Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > PacketFence-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
