Should I report this as a bug, or do I need to do something in the config to
allow PF to apply the controller port variable?
I’m running 5.0.1 by the way, perhaps this is resolved already with an upgrade?
Cheers,
Andi
From: Morris, Andi [mailto:[email protected]]
Sent: 18 May 2015 14:32
To: '[email protected]'
Subject: Re: [PacketFence-users] radius disconnect in Cisco WLC
I’ve found a way to change the CoA port on the WLC from 1700 to 3799, and I’m
now seeing the radius disconnect successful messages and my clients are being
disconnected.
However, if at all possible I’d like to be able to configure PacketFence to be
able to use the configured port, rather than changing default options on the
WLC, as we have a few different WLC flavours, and I’m not sure if it’s an
changeable option on the older types.
Cheers,
Andi
From: Morris, Andi [mailto:[email protected]]
Sent: 18 May 2015 13:58
To: '[email protected]'
Subject: Re: [PacketFence-users] radius disconnect in Cisco WLC
An update. I think that my WLC might be using a different port for the CoA.
Running a show ip connections from the CLI I see that the controller is
listening on port 1700 on the IP 192.168.199.101, which is the switches
management IP address (I was mistaken in my previous reply when I said
192.168.196.13 was the management IP. That is the IP of one of the wireless
interfaces. I just happen to use that IP for my management of the WLC).
I have updated the switch config in PF to use 192.168.199.101 and port 1700 and
restarted the PF services. However PF seems to not be taking into account the
port config and is still sending to port 3799.
May 18 13:47:10 httpd.webservices(9990) INFO: [30:10:b3:13:be:37]
DesAssociating mac on switch (192.168.196.13) (pf::api::desAssociate)
May 18 13:47:10 httpd.webservices(9990) INFO: [30:10:b3:13:be:37]
deauthenticating (pf::Switch::radiusDisconnect)
May 18 13:47:10 httpd.webservices(9990) INFO: controllerIp is set, we will use
controller 192.168.199.101 to perform deauth (pf::Switch::radiusDisconnect)
May 18 13:47:10 httpd.webservices(9990) WARN: Unable to perform RADIUS
Disconnect-Request: No answer from 192.168.199.101 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm line 145. (pf::Switch::__ANON__)
Switch config is:
[192.168.196.13]
mode=production
description=WLC
type=Cisco::WLC_5500
RoleMap=N
controllerIp=192.168.199.101
controllerPort=1700
Cheers,
Andi
From: Morris, Andi [mailto:[email protected]]
Sent: 18 May 2015 10:50
To: '[email protected]'
Subject: Re: [PacketFence-users] radius disconnect in Cisco WLC
Hi,
Yes I can ping the management interface of the WLC from the PF box.
Still struggling to get any usable debug information from the WLC.
Cheers,
Andi
From: Fletcher Haynes [mailto:[email protected]]
Sent: 15 May 2015 16:44
To:
[email protected]<mailto:[email protected]>
Subject: Re: [PacketFence-users] radius disconnect in Cisco WLC
I can confirm RADIUS disconnect works on WiSM 2s, with various software
versions from 7.x to 8.x....
Can you ping the WLC management IP from your PF box?
On Fri, May 15, 2015 at 7:35 AM, Morris, Andi
<[email protected]<mailto:[email protected]>> wrote:
Hi all,
A while back I remember that there was an issue with Cisco WLC controllers not
behaving when PF sends a radius disconnect message to them. Does anybody know
if this was ever resolved by Cisco, or has a work around been found? I have
5.0.1 in dev at the moment, using a Cisco WLC 5760 (version 03.06.01E RELEASE
SOFTWARE (fc3)). When unregistering devices from my nodes tab I see the
following in packetfence.log:
May 15 14:51:23 httpd.webservices(4941) WARN: Unable to perform RADIUS
Disconnect-Request: No answer from 192.168.196.13 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm<http://radius.pm> line 145.
(pf::Switch::__ANON__)
May 15 14:51:33 httpd.webservices(4941) WARN: Unable to perform RADIUS
Disconnect-Request: Timeout waiting for a reply from 192.168.196.13 on port
3799 at /usr/local/pf/lib/pf/util/radius.pm<http://radius.pm> line 163.
(pf::Switch::__ANON__)
May 15 14:51:33 httpd.webservices(4941) ERROR: Wrong RADIUS secret or
unreachable network device... (pf::Switch::__ANON__)
I have RFC 3576 support enabled on the WLC.
Cheers,
Andi
-------------------------------------
Andi Morris
IT Security Officer
Cardiff Metropolitan University
T: 02920 205720
E: [email protected]<mailto:[email protected]>
--------------------------------------
________________________________
[Image removed by sender. Cardiff Metropolitan University - 150 years of
nurturing talent]<http://www.cardiffmet.ac.uk/cardiffmet150>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fletcher Haynes <[email protected]<mailto:[email protected]>>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
