Hi Fabrice. Thanks for the comments, here's what you asked for.
service packetfence
statusservice|shouldBeStarted|piddhcpd|1|1733haproxy|0|0httpd.aaa|1|1737httpd.admin|1|1709httpd.portal|1|1753httpd.proxy|0|0httpd.webservices|1|1785iptables|1|-1memcached|1|1797pfbandwidthd|0|0pfdetect|0|0pfdhcplistener_eth1|1|1849pfdhcplistener_eth2|1|1855pfdns|1|1860pfmon|1|1866pfsetvlan|1|1883radiusd|1|1897snmptrapd|1|1879snort|0|0suricata|0|0keepalived|0|0
Connecting a laptop to the inline network via the AP. Here are the
pfdhcplistener logs. Yes, I see DHCP request and an IP address is assigned to
the laptop. I can ping 8.8.8.8 at this stage (once the laptop has acquired an
IP address)
pfdhcplistener(6280) INFO: DHCPREQUEST from 60:03:08:a5:84:3a (10.252.7.81)
with lease of 7776000 seconds (main::parse_dhcp_request)pfdhcplistener(6280)
INFO: Matched MAC '60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) WARN: Unable to match MAC address to IP
'10.252.7.81' (pf::iplog::ip2mac)pfdhcplistener(6280) ERROR: Use of
uninitialized value in string eq at /usr/local/pf/sbin/pfdhcplistener line
547.(main::update_iplog)pfdhcplistener(6280) INFO: Matched MAC
'60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a'
to IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip)pfdhcplistener(6280)
WARN: Unable to perform a Fingerbank lookup for device with MAC address
'60:03:08:a5:84:3a' (pf::fingerbank::process)pfdhcplistener(6280) INFO:
60:03:08:a5:84:3a requested an IP with the following informations: last_dhcp =
2015-06-25 15:28:11,computername = lappy,dhcp_fingerprint =
1,3,6,15,119,95,252,44,46,dhcp_vendor =
(main::listen_dhcp)pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a is of device
type (main::listen_dhcp)pfdhcplistener(6280) INFO: DHCPOFFER from 172.31.30.11
(00:50:56:93:22:a3) to host 60:03:08:a5:84:3a (10.0.1.12)
(main::parse_dhcp_offer)pfdhcplistener(6280) INFO: DHCPREQUEST from
60:03:08:a5:84:3a (10.0.1.12) (main::parse_dhcp_request)pfdhcplistener(6280)
INFO: Matched MAC '60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC
address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac)pfdhcplistener(6280)
INFO: Matched MAC '60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a'
to IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip)pfdhcplistener(6280)
WARN: Unable to perform a Fingerbank lookup for device with MAC address
'60:03:08:a5:84:3a' (pf::fingerbank::process)pfdhcplistener(6280) INFO:
60:03:08:a5:84:3a requested an IP with the following informations: last_dhcp =
2015-06-25 15:28:13,computername = lappy,dhcp_fingerprint =
1,3,6,15,119,95,252,44,46,dhcp_vendor =
(main::listen_dhcp)pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a is of device
type (main::listen_dhcp)pfdhcplistener(6280) INFO: DHCPACK from 172.31.30.11
(00:50:56:93:22:a3) to host 60:03:08:a5:84:3a (10.0.1.12) for 86400 seconds
(main::parse_dhcp_ack)pfdhcplistener(6280) INFO: Matched MAC
'60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC
address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac)
select * from locationlog where mac="60:03:08:a5:84:3a"; 60:03:08:a5:84:3a |
172.31.30.11 | 0 | 0 | Inline | | |
2015-06-25 15:28:12 | 2015-06-25 15:28:23 | 172.31.30.11 | NULL | NULL
| NULL | NULL |Just so you know, I have 42 enteries for that
MAC address as I have been using the same device to test over the past days.
Logs after registering the laptop via portal. I believe you would need logs
from packetfence.log (as nothing showed up in
pfdhcplistener.log)/usr/local/pf/logs/packetfence.log <==httpd.portal(6630)
INFO: Matched IP '10.0.1.12' to MAC address '60:03:08:a5:84:3a' using OMAPI
(pf::iplog::ip2mac)httpd.portal(6630) INFO: registering 60:03:08:a5:84:3a guest
by email
(captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration)httpd.portal(6630)
INFO: Matched rule (catchall) in source email, returning actions.
(pf::Authentication::Source::match)httpd.portal(6630) WARN: Can't find
provisioner for 60:03:08:a5:84:3a since we don't have it's OS
(pf::Portal::Profile::findProvisioner)httpd.portal(6630) INFO:
[60:03:08:a5:84:3a] re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)httpd.portal(6630) WARN:
[60:03:08:a5:84:3a] Can't re-evaluate access because no open locationlog entry
was found (pf::enforcement::reevaluate_access)httpd.portal(6630) INFO: new
activation code successfully generated
(pf::activation::create)httpd.portal(6630) INFO: Email sent to [email protected]
(xxxx.com: Email activation required)
(pf::activation::__ANON__)httpd.portal(6630) WARN: Can't find provisioner for
60:03:08:a5:84:3a since we don't have it's OS
(pf::Portal::Profile::findProvisioner)httpd.portal(6643) INFO: Matched IP
'10.0.1.12' to MAC address '60:03:08:a5:84:3a' using OMAPI
(pf::iplog::ip2mac)httpd.portal(6659) INFO: Matched IP '10.0.1.12' to MAC
address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac)httpd.portal(6621)
INFO: Matched IP '10.0.1.12' to MAC address '60:03:08:a5:84:3a' using OMAPI
(pf::iplog::ip2mac)httpd.portal(6621) WARN: Unable to perform a Fingerbank
lookup for device with MAC address '60:03:08:a5:84:3a'
(pf::fingerbank::process)
Here's where the redirection to 'your network should be enabled within... '
page happens.httpd.portal(6621) INFO: [60:03:08:a5:84:3a] shouldn't reach here.
Calling access re-evaluation. Make sure your network device configuration is
correct.
(captiveportal::PacketFence::Controller::CaptivePortal::unknownState)httpd.portal(6621)
INFO: [60:03:08:a5:84:3a] re-evaluating access (redir.cgi called)
(pf::enforcement::reevaluate_access)httpd.portal(6621) WARN:
[60:03:08:a5:84:3a] Can't re-evaluate access because no open locationlog entry
was found (pf::enforcement::reevaluate_access)
Here's the ipset after I have just registered the laptop. (and I know that the
above IP should appear under pfsession_Reg_10.0.1.0 as a member)ipset -LName:
pfsession_Unreg_10.0.1.0Type: bitmap:ipHeader: range 10.0.1.0-10.0.1.255Size in
memory: 152References: 1Members:
Name: pfsession_Reg_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
Name: pfsession_Isol_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
And I know it could be a problem with sudoers and the whole..su - pfand launch
sudo ipset -LIf it doesn´t work it mean that there is a problem with sudoers
file.
But here's the thing, as soon as I get off the AP and inline network and then
join back here are the logs and ipset -L /usr/local/pf/logs/pfdhcplistener.log
<==pfdhcplistener(6280) INFO: DHCPREQUEST from 60:03:08:a5:84:3a (10.0.1.12)
(main::parse_dhcp_request)pfdhcplistener(6280) INFO: Matched MAC
'60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC
address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac)pfdhcplistener(6280)
INFO: Matched MAC '60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a'
to IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip)pfdhcplistener(6280)
INFO: [60:03:08:a5:84:3a] stated changed, adapting firewall rules for proper
enforcement (pf::inline::performInlineEnforcement)pfdhcplistener(6280) INFO:
Matched MAC '60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) WARN: Problem trying to run command:
LANG=C sudo ipset --del pfsession_Unreg_10.0.1.0 10.0.1.12 2>&1 called from
iptables_unmark_node. Child exited with non-zero value 1
(pf::util::pf_run)pfdhcplistener(6280) INFO: Flushed connections for 10.0.1.12.
(pf::ipset::iptables_unmark_node)pfdhcplistener(6280) INFO: Matched MAC
'60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a'
to IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip)pfdhcplistener(6280)
WARN: Unable to perform a Fingerbank lookup for device with MAC address
'60:03:08:a5:84:3a' (pf::fingerbank::process)pfdhcplistener(6280) INFO:
60:03:08:a5:84:3a requested an IP with the following informations: last_dhcp =
2015-06-25 15:43:11,computername = lappy,dhcp_fingerprint =
1,3,6,15,119,95,252,44,46,dhcp_vendor = dhcpcd-5.5.6
(main::listen_dhcp)pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a is of device
type (main::listen_dhcp)pfdhcplistener(6280) INFO: DHCPACK from 172.31.30.11
(00:50:56:93:22:a3) to host 60:03:08:a5:84:3a (10.0.1.12) for 86400 seconds
(main::parse_dhcp_ack)pfdhcplistener(6280) INFO: Matched MAC
'60:03:08:a5:84:3a' to IP address '10.0.1.12' using OMAPI
(pf::iplog::mac2ip)pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC
address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac)
ipset -LName: pfsession_Unreg_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
Name: pfsession_Reg_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:10.0.1.12
Name: pfsession_Isol_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
I wait for 10 minutes (and let the device become unregistered again) so ipset
-L says ipset -LName: pfsession_Unreg_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:10.0.1.12
Name: pfsession_Reg_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
Name: pfsession_Isol_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
after that I was able to remove the device as followssu - pfsudo ipset --del
pfsession_Unreg_10.0.1.0 10.0.1.12 2>&1sudo ipset -LName:
pfsession_Unreg_10.0.1.0Type: bitmap:ipHeader: range 10.0.1.0-10.0.1.255Size in
memory: 152References: 1Members:
Name: pfsession_Reg_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
Name: pfsession_Isol_10.0.1.0Type: bitmap:ipHeader: range
10.0.1.0-10.0.1.255Size in memory: 152References: 1Members:
So I am not quite sure what the problem is. Why there is no entry in ipset when
I register, but immediately when I leave the AP and get back on again, the IP
appears in the ipset list (and the internet works fine).
Date: Thu, 25 Jun 2015 07:42:10 -0400
From: [email protected]
To: [email protected]
Subject: Re: [PacketFence-users] Signup doesn't work
Hi Andy,
Can you check something for me ?
-First service packetfence status
-Next connect the laptop in the inline network and check in
pfdhcplistener.log if you see the dhcp request.
-Next check in the database the locationlog entry if it set to
inline:
select * from locationlog where mac="00:11:22:33:44:55";
-Next register the device and paste the log.
-Paste ipset -L
Are you able to ping 8.8.8.8 ?
With that i will probably be able to let you know what is the issue.
Regards
Fabrice
Le 2015-06-25 06:20, Andy A a écrit :
Hi Louis.
Thanks for the reply. Actually, after I sent the last post,
it's gone back to the same and now it's the same for ALL
devices (Android or iOS)
So disregard my momentary jubilation on it working for
Android device.
Thanks for letting me know you are away, that will
certainly dampen my hope of resolving this within the next 3
days. But I will keep testing and posting.
From: [email protected]
Date: Wed, 24 Jun 2015 15:35:56 -0400
To: [email protected]
Subject: Re: [PacketFence-users] Signup doesn't work
On Jun 24, 2015, at 12:54 , Andy A <[email protected]>
wrote:
One way to get internet access in my
current situation (where I get 'Your network should be
enabled within a minute or two message') - I have
figured out is, to disconnect from the AP and then
connect back again.
BOOM
everything then works. But this is a very horrible
experience for a user and I can't expect the user to
try this funky hack to get internet access after
registration.
I
found this http://www.packetfence.org/bugs/view.php?id=1655
which
describes the exact same issue and is BUG. Not sure it
has been fixed yet. Can anyone confirm this?
That bug report is so old as to be useless now.
I would rather start from scratch.
Internet access basically depends on being placed in
the proper IPset.
Can you check if registration happens differently for
iOs devices?
Are they placed in the same IPset at the Android ones?
I’ll be away from work for the next three days. Back on
the 29th.
Keep posting, someone else may be able to help or else
I’ll have a look on Monday.
Regards,
--
Louis Munro
[email protected]
:: www.inverse.ca
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Monitor
25 network devices or servers for free with OpManager!
OpManager is web-based network management software that
monitors network devices and physical & virtual servers,
alerts via email & sms for fault. Monitor 25 devices for
free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
