Hi Andy, my answer/question bellow.
Le 2015-06-25 11:29, Andy A a écrit : > Hi Fabrice. > Thanks for the comments, here's what you asked for. > > service packetfence status > service|shouldBeStarted|pid > dhcpd|1|1733 > haproxy|0|0 > httpd.aaa|1|1737 > httpd.admin|1|1709 > httpd.portal|1|1753 > httpd.proxy|0|0 > httpd.webservices|1|1785 > iptables|1|-1 > memcached|1|1797 > pfbandwidthd|0|0 > pfdetect|0|0 > pfdhcplistener_eth1|1|1849 > pfdhcplistener_eth2|1|1855 > pfdns|1|1860 > pfmon|1|1866 > pfsetvlan|1|1883 > radiusd|1|1897 > snmptrapd|1|1879 > snort|0|0 > suricata|0|0 > keepalived|0|0 > > > Connecting a laptop to the inline network via the AP. Here are the > pfdhcplistener logs. Yes, I see DHCP request and an IP address is > assigned to the laptop. I can ping 8.8.8.8 at this stage (once the > laptop has acquired an IP address) Ok so first it's not normal that you can ping 8.8.8.8 when you are unreg (if you can check on the layer3 interface 172.31.30.1 if you are able to force 8.8.8.8 to be behind packetfence 172.31.30.10) > > pfdhcplistener(6280) INFO: DHCPREQUEST from 60:03:08:a5:84:3a > (10.252.7.81) with lease of 7776000 seconds > (main::parse_dhcp_request) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) WARN: Unable to match MAC address to IP > '10.252.7.81' (pf::iplog::ip2mac) > > pfdhcplistener(6280) ERROR: Use of uninitialized value in > string eq at /usr/local/pf/sbin/pfdhcplistener line > 547.(main::update_iplog) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) WARN: Unable to perform a Fingerbank > lookup for device with MAC address '60:03:08:a5:84:3a' > (pf::fingerbank::process) > > pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a requested an IP > with the following informations: last_dhcp = 2015-06-25 > 15:28:11,computername = lappy,dhcp_fingerprint = > 1,3,6,15,119,95,252,44,46,dhcp_vendor = (main::listen_dhcp) > > pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a is of device type > (main::listen_dhcp) > > pfdhcplistener(6280) INFO: DHCPOFFER from 172.31.30.11 > (00:50:56:93:22:a3) to host 60:03:08:a5:84:3a (10.0.1.12) > (main::parse_dhcp_offer) > > pfdhcplistener(6280) INFO: DHCPREQUEST from 60:03:08:a5:84:3a > (10.0.1.12) (main::parse_dhcp_request) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC > address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) WARN: Unable to perform a Fingerbank > lookup for device with MAC address '60:03:08:a5:84:3a' > (pf::fingerbank::process) > > pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a requested an IP > with the following informations: last_dhcp = 2015-06-25 > 15:28:13,computername = lappy,dhcp_fingerprint = > 1,3,6,15,119,95,252,44,46,dhcp_vendor = (main::listen_dhcp) > > pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a is of device type > (main::listen_dhcp) > > pfdhcplistener(6280) INFO: DHCPACK from 172.31.30.11 > (00:50:56:93:22:a3) to host 60:03:08:a5:84:3a (10.0.1.12) for > 86400 seconds (main::parse_dhcp_ack) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC > address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > > select * from locationlog where mac="60:03:08:a5:84:3a"; > > 60:03:08:a5:84:3a | 172.31.30.11 | 0 | 0 | Inline > | | | 2015-06-25 15:28:12 | 2015-06-25 > 15:28:23 | 172.31.30.11 | NULL | NULL | NULL > | NULL | > > Just so you know, I have 42 enteries for that MAC address as I have > been using the same device to test over the past days. > Do you have a entry with end_time is NULL ? Also can you post all the result ? > Logs after registering the laptop via portal. I believe you would need > logs from packetfence.log (as nothing showed up in pfdhcplistener.log) > > /usr/local/pf/logs/packetfence.log <== > > httpd.portal(6630) INFO: Matched IP '10.0.1.12' to MAC address > '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > httpd.portal(6630) INFO: registering 60:03:08:a5:84:3a guest > by email > > (captiveportal::PacketFence::Controller::Signup::doEmailSelfRegistration) > > httpd.portal(6630) INFO: Matched rule (catchall) in source > email, returning actions. (pf::Authentication::Source::match) > > httpd.portal(6630) WARN: Can't find provisioner for > 60:03:08:a5:84:3a since we don't have it's OS > (pf::Portal::Profile::findProvisioner) > > httpd.portal(6630) INFO: [60:03:08:a5:84:3a] re-evaluating > access (manage_register called) > (pf::enforcement::reevaluate_access) > > httpd.portal(6630) WARN: [60:03:08:a5:84:3a] Can't re-evaluate > access because no open locationlog entry was found > (pf::enforcement::reevaluate_access) > This is the issue, since packetfence don't know where the device is (It's suppose to be marked as Inline on the locationlog) > > httpd.portal(6630) INFO: new activation code successfully > generated (pf::activation::create) > > httpd.portal(6630) INFO: Email sent to [email protected] > (xxxx.com: Email activation required) (pf::activation::__ANON__) > > httpd.portal(6630) WARN: Can't find provisioner for > 60:03:08:a5:84:3a since we don't have it's OS > (pf::Portal::Profile::findProvisioner) > > httpd.portal(6643) INFO: Matched IP '10.0.1.12' to MAC address > '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > httpd.portal(6659) INFO: Matched IP '10.0.1.12' to MAC address > '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > httpd.portal(6621) INFO: Matched IP '10.0.1.12' to MAC address > '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > httpd.portal(6621) WARN: Unable to perform a Fingerbank lookup > for device with MAC address '60:03:08:a5:84:3a' > (pf::fingerbank::process) > > > Here's where the redirection to 'your network should be enabled > within... ' page happens. > > httpd.portal(6621) INFO: [60:03:08:a5:84:3a] shouldn't reach > here. Calling access re-evaluation. Make sure your network > device configuration is correct. > (captiveportal::PacketFence::Controller::CaptivePortal::unknownState) > > httpd.portal(6621) INFO: [60:03:08:a5:84:3a] re-evaluating > access (redir.cgi called) (pf::enforcement::reevaluate_access) > > httpd.portal(6621) WARN: [60:03:08:a5:84:3a] Can't re-evaluate > access because no open locationlog entry was found > (pf::enforcement::reevaluate_access) > Same here. > > Here's the ipset after I have just registered the laptop. (and I know > that the above IP should appear under pfsession_Reg_10.0.1.0 as a member) > ipset -L > Name: pfsession_Unreg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > Name: pfsession_Reg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > Name: pfsession_Isol_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > > And I know it could be a problem with sudoers and the whole.. > su - pf > and launch sudo ipset -L > If it doesn´t work it mean that there is a problem with sudoers file. > > But here's the thing, as soon as I get off the AP and inline network > and then join back here are the logs and ipset -L > > /usr/local/pf/logs/pfdhcplistener.log <== > > pfdhcplistener(6280) INFO: DHCPREQUEST from 60:03:08:a5:84:3a > (10.0.1.12) (main::parse_dhcp_request) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC > address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: [60:03:08:a5:84:3a] stated changed, > adapting firewall rules for proper enforcement > (pf::inline::performInlineEnforcement) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > *pfdhcplistener(6280) WARN: Problem trying to run command: > LANG=C sudo ipset --del pfsession_Unreg_10.0.1.0 10.0.1.12 > 2>&1 called from iptables_unmark_node. Child exited with > non-zero value 1 (pf::util::pf_run)* > > pfdhcplistener(6280) INFO: Flushed connections for 10.0.1.12. > (pf::ipset::iptables_unmark_node) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) WARN: Unable to perform a Fingerbank > lookup for device with MAC address '60:03:08:a5:84:3a' > (pf::fingerbank::process) > > pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a requested an IP > with the following informations: last_dhcp = 2015-06-25 > 15:43:11,computername = lappy,dhcp_fingerprint = > 1,3,6,15,119,95,252,44,46,dhcp_vendor = > dhcpcd-5.5.6 (main::listen_dhcp) > > pfdhcplistener(6280) INFO: 60:03:08:a5:84:3a is of device type > (main::listen_dhcp) > > pfdhcplistener(6280) INFO: DHCPACK from 172.31.30.11 > (00:50:56:93:22:a3) to host 60:03:08:a5:84:3a (10.0.1.12) for > 86400 seconds (main::parse_dhcp_ack) > > pfdhcplistener(6280) INFO: Matched MAC '60:03:08:a5:84:3a' to > IP address '10.0.1.12' using OMAPI (pf::iplog::mac2ip) > > pfdhcplistener(6280) INFO: Matched IP '10.0.1.12' to MAC > address '60:03:08:a5:84:3a' using OMAPI (pf::iplog::ip2mac) > > > ipset -L > Name: pfsession_Unreg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > Name: pfsession_Reg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > 10.0.1.12 > > Name: pfsession_Isol_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > I wait for 10 minutes (and let the device become unregistered again) > so ipset -L says > ipset -L > Name: pfsession_Unreg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > 10.0.1.12 > > Name: pfsession_Reg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > > Name: pfsession_Isol_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > after that I was able to remove the device as follows > su - pf > sudo ipset --del pfsession_Unreg_10.0.1.0 10.0.1.12 2>&1 > sudo ipset -L > Name: pfsession_Unreg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > Name: pfsession_Reg_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > > Name: pfsession_Isol_10.0.1.0 > Type: bitmap:ip > Header: range 10.0.1.0-10.0.1.255 > Size in memory: 152 > References: 1 > Members: > > So I am not quite sure what the problem is. Why there is no entry in > ipset when I register, but immediately when I leave the AP and get > back on again, the IP appears in the ipset list (and the internet > works fine). > ipset has been updated because of a new dhcp request. > ------------------------------------------------------------------------ > Date: Thu, 25 Jun 2015 07:42:10 -0400 > From: [email protected] > To: [email protected] > Subject: Re: [PacketFence-users] Signup doesn't work > > Hi Andy, > > Can you check something for me ? > > -First service packetfence status > -Next connect the laptop in the inline network and check in > pfdhcplistener.log if you see the dhcp request. > -Next check in the database the locationlog entry if it set to inline: > select * from locationlog where mac="00:11:22:33:44:55"; > -Next register the device and paste the log. > -Paste ipset -L > > Are you able to ping 8.8.8.8 ? > > With that i will probably be able to let you know what is the issue. > > Regards > Fabrice > > Le 2015-06-25 06:20, Andy A a écrit : > > Hi Louis. > > Thanks for the reply. Actually, after I sent the last post, it's > gone back to the same and now it's the same for ALL devices > (Android or iOS) > So disregard my momentary jubilation on it working for Android device. > > Thanks for letting me know you are away, that will certainly > dampen my hope of resolving this within the next 3 days. But I > will keep testing and posting. > > ------------------------------------------------------------------------ > From: [email protected] <mailto:[email protected]> > Date: Wed, 24 Jun 2015 15:35:56 -0400 > To: [email protected] > <mailto:[email protected]> > Subject: Re: [PacketFence-users] Signup doesn't work > > > > On Jun 24, 2015, at 12:54 , Andy A <[email protected] > <mailto:[email protected]>> wrote: > > One way to get internet access in my current situation (where > I get 'Your network should be enabled within a minute or two > message') - I have figured out is, to disconnect from the AP > and then connect back again. > BOOM everything then works. But this is a very horrible > experience for a user and I can't expect the user to try this > funky hack to get internet access after registration. > > I found > this http://www.packetfence.org/bugs/view.php?id=1655 which > describes the exact same issue and is BUG. Not sure it has > been fixed yet. Can anyone confirm this? > > > That bug report is so old as to be useless now. > > I would rather start from scratch. > > Internet access basically depends on being placed in the proper IPset. > Can you check if registration happens differently for iOs devices? > Are they placed in the same IPset at the Android ones? > > > I’ll be away from work for the next three days. Back on the 29th. > Keep posting, someone else may be able to help or else I’ll have a > look on Monday. > > Regards, > -- > Louis Munro > [email protected] <mailto:[email protected]> :: www.inverse.ca > <http://www.inverse.ca> > +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 > Inverse inc. :: Leaders behind SOGo (www.sogo.nu > <http://www.sogo.nu>) and PacketFence (www.packetfence.org > <http://www.packetfence.org>) > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & > sms for fault. Monitor 25 devices for free with no restriction. > Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > <http://ad.doubleclick.net/ddm/clk/292181274%3b119417398%3bo> > _______________________________________________ PacketFence-users > mailing list [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > <http://ad.doubleclick.net/ddm/clk/292181274%3b119417398%3bo> > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download > now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ PacketFence-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > ------------------------------------------------------------------------------ > Monitor 25 network devices or servers for free with OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download now > http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
