Hello again,
Thanks for all the help so far. I'm happily nearly completely functional with my initial testing of PF 5.3.1 but I've got a couple remaining issues. My wireless infrastructure is an HP MSM760 mobility control with 55 MSM460 access points. Currently I have added the controller and the AP on my desk to the system for testing. The configuration mostly works except for one issue. When I connect a new device to the SSID is have configured for mac-authentication, I am successfully connected to the captive portal. I can then authorize the system and PF appears to be making the necessary changes for network access. The problem is that disassociation never occurs because the server is ignoring the Controller IP Address set in the switch config and is instead attempting to connect to the AP directly, which will not work as direct SSH connections to the Aps are not available when the APs are in controlled mode. If I manually disconnect/reconnect or restart the device the system works as expected. As you can see from the logs below the PF server is attempting to contact 10.10..10.120 but should be contacting 10.10.10.2 What I believe to be the relevant logs and config file excerpts are below. Any ideas what I'm missing here? Thanks, Paul ****Initial Connection**** Jul 30 02:29:24 httpd.portal(3485) INFO: [LCHS-DC00 EmployeeDevReg] Found a match (CN=StaffRegistration,OU=Staff,OU=LutherUsers,DC=luthercollege,DC=edu) (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 30 02:29:24 httpd.portal(3485) INFO: Matched rule (EmployeeDevReg) in source LCHS-DC00, returning actions. (pf::Authentication::Source::match) Jul 30 02:29:24 httpd.portal(3485) INFO: Just finished seting the node up (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) Jul 30 02:29:24 httpd.portal(3485) INFO: Passed by the provisioning (captiveportal::PacketFence::Controller::Authenticate::postAuthentication) Jul 30 02:29:24 httpd.portal(3485) INFO: person staffregistration modified to StaffRegistration (pf::person::person_modify) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] re-evaluating access (manage_register called) (pf::enforcement::reevaluate_access) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] is currentlog connected at (10.10.10.120) ifIndex 0 in VLAN 50 (pf::enforcement::_should_we_reassign_vlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't find provisioner (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Can't find scan engine (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] Username was defined "503cc47125c3" - returning user based role 'EmployeeRegistration' (pf::vlan::getNormalVlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] PID: "staffregistration", Status: reg Returned VLAN: 5, Role: EmployeeRegistration (pf::vlan::fetchVlanForNode) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] VLAN reassignment required (current VLAN = 50 but should be in VLAN 5) (pf::enforcement::_should_we_reassign_vlan) Jul 30 02:29:25 httpd.portal(3485) INFO: [50:3c:c4:71:25:c3] switch port is (10.10.10.120) ifIndex unknown connection type: WiFi MAC Auth (pf::enforcement::_vlan_reevaluation) Jul 30 02:29:25 httpd.webservices(2088) INFO: Memory configuration is not valid anymore for key config::Switch in local cached_hash (pfconfig::cached::is_valid) Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:25 httpd.portal(3699) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:25 httpd.portal(3485) INFO: Matched IP '10.10.50.20' to MAC address '50:3c:c4:71:25:c3' using OMAPI (pf::iplog::ip2mac) Jul 30 02:29:26 httpd.webservices(2088) INFO: [50:3c:c4:71:25:c3] DesAssociating mac on switch (10.10.10.120) (pf::api::desAssociate) Jul 30 02:29:26 httpd.webservices(2088) ERROR: ERROR: Can not connect to controller 10.10.10.120 using SSH (pf::Switch::HP::MSM::_deauthenticateMacWithSSH) ****Reconnection**** Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] handling radius autz request: from switch_ip => (10.10.10.120), connection_type => Wireless-802.11-NoEAP,switch_mac => (2c:44:fd:3f:e2:90), mac => [50:3c:c4:71:25:c3], port => 0, username => "503cc47125c3" (pf::radius::authorize) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't find provisioner (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Can't find scan engine (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Connection type is WIRELESS_MAC_AUTH. Getting role from node_info (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] Username was defined "503cc47125c3" - returning user based role 'EmployeeRegistration' (pf::vlan::getNormalVlan) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] PID: "staffregistration", Status: reg Returned VLAN: 5, Role: EmployeeRegistration (pf::vlan::fetchVlanForNode) Jul 30 02:30:28 httpd.aaa(2065) INFO: [50:3c:c4:71:25:c3] (10.10.10.120) Returning ACCEPT with VLAN 5 and role (pf::Switch::returnRadiusAccessAccept) ****Switch.conf**** [10.10.10.2] RoleMap=N deauthMethod=HTTPS AccessListMap=N description=MSM Controller type=HP::Controller_MSM710 VoIPEnabled=N radiusSecret=******* EmployeeVlan=5 Dorm StudentVlan=2 macDetectionVlan=4000 Day StudentVlan=2 isolationVlan=51 EmployeeRegistrationVlan=5 NetAdminVlan=1 registrationVlan=50 voiceVlan=99 cliUser=admin cliPwd=******* cliTransport=SSH cliEnablePwd=******* mode=production SNMPCommunityRead=readwrite SNMPCommunityWrite=readwrite SNMPVersionTrap=3 SNMPVersion=3 SNMPCommunityTrap=readwrite [10.10.10.120] RoleMap=N controllerIp=10.10.10.2 deauthMethod=RADIUS AccessListMap=N description=BasementTemp type=HP::MSM VoIPEnabled=N radiusSecret=****** mode=production EmployeeVlan=5 macDetectionVlan=4000 Day StudentVlan=2 isolationVlan=51 registrationVlan=50 voiceVlan=99 Dorm StudentVlan=2 EmployeeRegistrationVlan=5 NetAdminVlan=1 cliUser=admin cliPwd=******* cliEnablePwd=******* cliTransport=SSH wsPwd=******* wsTransport=HTTPS wsUser=admin
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
